Jeremy Monnet
2021-May-06 16:24 UTC
[Samba] Keytab MEMORY:cifs_srv_keytab is nonexistent or empty
Hi, On Thu, May 6, 2021 at 2:33 PM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 06/05/2021 13:14, Jeremy Monnet wrote: > > > > No, I didn't see that part ?! I hope I can still authenticate user > > against an AD using sssd, and have samba autonomous to provide Shares > > ? I couldn't find any article or information on that subject ? > > > Up until Samba 4.8.0 , the smbd daemon (which you need for shares) could > 'talk' directly to AD, so you could use sssd with Samba and have shares. > When Samba 4.8.0 was released, things changed, smbd can no longer 'talk' > to AD and on a Unix domain member, you need to use 'security = ADS' and > run winbind and sssd and winbind are incompatible. If you want to use > Samba with shares, you need to remove sssd. >So Redhat does support that https://access.redhat.com/solutions/3802321 (It is probably also behind a paywall - though I think you only need an account, not a paying one, never mind...) In short : realm join testlab.redhat.com -U Administrator --client-software=sssd --membership-software=samba and [global] realm = TESTLAB.REDHAT.COM workgroup = TESTLAB security = ads kerberos method = secrets and keytab [...] idmap config * : backend = tdb idmap config * : range = 10000-199999 idmap config TESTLAB : backend = sss idmap config TESTLAB : range = 200000-2147483647 I do not know whether it works by accident, but eventually I am authenticating via SSSD and offering Shares via smb at the same time. I will probably have to migrate that soon nevertheless... :-/ Thanks for your insight, Jeremy
Rowland penny
2021-May-06 16:34 UTC
[Samba] Keytab MEMORY:cifs_srv_keytab is nonexistent or empty
On 06/05/2021 17:24, Jeremy Monnet wrote:> Hi, > > On Thu, May 6, 2021 at 2:33 PM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 06/05/2021 13:14, Jeremy Monnet wrote: >>> No, I didn't see that part ?! I hope I can still authenticate user >>> against an AD using sssd, and have samba autonomous to provide Shares >>> ? I couldn't find any article or information on that subject ? >> >> Up until Samba 4.8.0 , the smbd daemon (which you need for shares) could >> 'talk' directly to AD, so you could use sssd with Samba and have shares. >> When Samba 4.8.0 was released, things changed, smbd can no longer 'talk' >> to AD and on a Unix domain member, you need to use 'security = ADS' and >> run winbind and sssd and winbind are incompatible. If you want to use >> Samba with shares, you need to remove sssd. >> > So Redhat does support that > https://access.redhat.com/solutions/3802321 (It is probably also > behind a paywall - though I think you only need an account, not a > paying one, never mind...) > In short : > > realm join testlab.redhat.com -U Administrator --client-software=sssd > --membership-software=samba > and > > [global] > realm = TESTLAB.REDHAT.COM > workgroup = TESTLAB > security = ads > kerberos method = secrets and keytab > [...] > idmap config * : backend = tdb > idmap config * : range = 10000-199999 > idmap config TESTLAB : backend = sss > idmap config TESTLAB : range = 200000-2147483647 > > > I do not know whether it works by accident, but eventually I am > authenticating via SSSD and offering Shares via smb at the same time. > I will probably have to migrate that soon nevertheless... :-/ > > Thanks for your insight, > > JeremyYes they might, but, as you say, you only get authentication, you do not get shares. You cannot run sssd and winbind together without expecting problems, they both contain their own versions of the winbind libs. If you just want authentication, then run sssd without Samba, but if you require shares, then run smbd with winbind without sssd. Rowland