Rowland penny
2021-May-06 17:24 UTC
[Samba] Keytab MEMORY:cifs_srv_keytab is nonexistent or empty
On 06/05/2021 17:45, Kees van Vloten wrote:> On 06-05-2021 18:34, Rowland penny via samba wrote: >> On 06/05/2021 17:24, Jeremy Monnet wrote: >>> Hi, >>> >>> On Thu, May 6, 2021 at 2:33 PM Rowland penny via samba >>> <samba at lists.samba.org> wrote: >>>> On 06/05/2021 13:14, Jeremy Monnet wrote: >>>>> ? No, I didn't see that part ?! I hope I can still authenticate user >>>>> against an AD using sssd, and have samba autonomous to provide Shares >>>>> ? I couldn't find any article or information on that subject ? >>>> >>>> Up until Samba 4.8.0 , the smbd daemon (which you need for shares) >>>> could >>>> 'talk' directly to AD, so you could use sssd with Samba and have >>>> shares. >>>> When Samba 4.8.0 was released, things changed, smbd can no longer >>>> 'talk' >>>> to AD and on a Unix domain member, you need to use 'security = ADS' >>>> and >>>> run winbind and sssd and winbind are incompatible. If you want to use >>>> Samba with shares, you need to remove sssd. >>>> >>> So Redhat does support that >>> https://access.redhat.com/solutions/3802321 (It is probably also >>> behind a paywall - though I think you only need an account, not a >>> paying one, never mind...) >>> In short : >>> >>> realm? join testlab.redhat.com -U Administrator --client-software=sssd >>> --membership-software=samba >>> and >>> >>> [global] >>> ???? realm = TESTLAB.REDHAT.COM >>> ???? workgroup = TESTLAB >>> ???? security = ads >>> ???? kerberos method = secrets and keytab >>> [...] >>> ??? idmap config * : backend = tdb >>> ???? idmap config * :? range = 10000-199999 >>> ???? idmap config TESTLAB : backend = sss >>> ???? idmap config TESTLAB : range = 200000-2147483647 >>> >>> >>> I do not know whether it works by accident, but eventually I am >>> authenticating via SSSD and offering Shares via smb at the same time. >>> I will probably have to migrate that soon nevertheless... :-/ >>> >>> Thanks for your insight, >>> >>> Jeremy >> >> >> Yes they might, but, as you say, you only get authentication, you do >> not get shares. You cannot run sssd and winbind together without >> expecting problems, they both contain their own versions of the >> winbind libs. >> >> If you just want authentication, then run sssd without Samba, but if >> you require shares, then run smbd with winbind without sssd. >> >> Rowland >> >> >> >> > Would it be possible to combine the two, local/ssh authentication and > being an smb fileserver? > Some weeks ago we had a conversation about pam_winbind and logging on > with an expired password. The you pointed at this bug: > > https://bugzilla.samba.org/show_bug.cgi?id=14622 > > Which would drive me to use sssd + pam_sss instead of winbind? + > pam_winbind > > Kees >That is still a valid bug, I wonder if using ssh with kerberos would work (or not, as the case may be). Rowland