Rowland penny
2021-May-06 12:32 UTC
[Samba] Keytab MEMORY:cifs_srv_keytab is nonexistent or empty
On 06/05/2021 13:14, Jeremy Monnet wrote:> > ?No, I didn't see that part ?! I hope I can still authenticate user > against an AD using sssd, and have samba autonomous to provide Shares? > ? I couldn't find any article or information on that subject ?Up until Samba 4.8.0 , the smbd daemon (which you need for shares) could 'talk' directly to AD, so you could use sssd with Samba and have shares. When Samba 4.8.0 was released, things changed, smbd can no longer 'talk' to AD and on a Unix domain member, you need to use 'security = ADS' and run winbind and sssd and winbind are incompatible. If you want to use Samba with shares, you need to remove sssd.> > security = user is set automatically by realm when joining the domain. > Which made me think it was set to work :-) >If that is the case, then it is probably a bug in realmd, use 'net ads join' to join the domain. Rowland
Jeremy Monnet
2021-May-06 16:24 UTC
[Samba] Keytab MEMORY:cifs_srv_keytab is nonexistent or empty
Hi, On Thu, May 6, 2021 at 2:33 PM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 06/05/2021 13:14, Jeremy Monnet wrote: > > > > No, I didn't see that part ?! I hope I can still authenticate user > > against an AD using sssd, and have samba autonomous to provide Shares > > ? I couldn't find any article or information on that subject ? > > > Up until Samba 4.8.0 , the smbd daemon (which you need for shares) could > 'talk' directly to AD, so you could use sssd with Samba and have shares. > When Samba 4.8.0 was released, things changed, smbd can no longer 'talk' > to AD and on a Unix domain member, you need to use 'security = ADS' and > run winbind and sssd and winbind are incompatible. If you want to use > Samba with shares, you need to remove sssd. >So Redhat does support that https://access.redhat.com/solutions/3802321 (It is probably also behind a paywall - though I think you only need an account, not a paying one, never mind...) In short : realm join testlab.redhat.com -U Administrator --client-software=sssd --membership-software=samba and [global] realm = TESTLAB.REDHAT.COM workgroup = TESTLAB security = ads kerberos method = secrets and keytab [...] idmap config * : backend = tdb idmap config * : range = 10000-199999 idmap config TESTLAB : backend = sss idmap config TESTLAB : range = 200000-2147483647 I do not know whether it works by accident, but eventually I am authenticating via SSSD and offering Shares via smb at the same time. I will probably have to migrate that soon nevertheless... :-/ Thanks for your insight, Jeremy