I have a system that is joined to an AD domain via SSSD, it was happily running samba and serving shares using either kerberos or password authentication, with the update to Samba 4.7.1 in the RHEL 7.5 release, all of that stopped working.
samba config file:
[global] log level = 5
password server = * realm = AD.EXAMPLE.COM encrypt passwords = yes kerberos method = system keytab workgroup = AD server string = %h samba security = ADS map to guest = Bad User interfaces = <valid IP> hosts allow = <valid IP blocks> load printers = no passdb backend = tdbsam dns proxy = no max log size = 5000 bind interfaces only = no
restrict anonymous = 2
#============================ Share Definitions ============================== [images] comment = example images path = /var/eng/ guest ok = no printable = no write list = create mask = 0664 directory mask = 0775 read only = no valid users = +valid-example-group force group = browseable = yes
Now samba will not even start without either libwbclient or sssd-libwbclient installed with the above configuration. After installing sssd-libwbclient and modifying valid users to:
valid users = AD\valid-example-group
kerberos based connections will work just fine. However password based connections for windows systems that are not AD joined, or smbclient without kerberos, does not work. I believe this is falling back to NTLM and NTLM is simply not supported by SSSD correct?
Oddly, what used to work, with basically a call to getgrnam() no longer works in 4.7.1 release of samba and there seems to be no mention that I can find as to why. Any thoughts?
It looks an awful lot like, if we need to support both krb and password based connections we will need to use winbind, correct? Or is there another way to make this thing work? If I have to use winbind it looks like I need to use 'net ads join' or 'realm join --client-software=winbind' but it then seems to me that the system will be joined to the AD twice, once to use SSSD, and once for winbind is this correct? Is there a way to make winbind and SSSD work together?
Further it looks like, according to this: https://bugzilla.redhat.com/show_bug.cgi?id=1558560 that RHEL 7.6 with Samba 4.8.1 will require winbind to be running period. I believe that statement to be a bit of an oversimplification because sssd-libwbclient should still work, or am I misunderstanding?
Any guidance here would be great, this seems to be a fairly murky area, or my google fu is weak.
-Erinn