On Sat, May 27, 2017 at 09:45:29PM -0700, Steve Dainard wrote:
I'm running samba 4.4.4 on el7. I'm attempting to provide a
auth by Kerberos or for non-kerberos hosts auth by password on Linux
or Windows (7)
SSSD cannot handle NTLM ('auth by password') so you have to run winbind
to make this possible. Adding the needed configuration manually is not
that easy so I would recommend re-considering Samba's net utility to
What is the specific feature you need from adcli? If it is
'preset-computer' I think you can just use the one-time password with
net as well.
If you want to SSSD running to lookup users and groups you can use
SSSD's idmap plugin to make sure winbind uses the same UIDs and GIDs,
see man idmap_sss for details.
> We have uid/gid/group memberships in AD and typically configure
> Linux hosts with a kerberos/sssd/ldap configuration which uses
> attributes from AD, but are not joined to domain.
> I need to be able to automate the domain join with salt stack, so I'm
> stuck using adcli to join the machine as it has a plain-text password
> option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf
> to the samba host.
> Thus far I've been able to browse shares from Linux, which
> authenticates with Kerberos OK. File/directory perms are respected,
> new files are created with proper uid, etc. No complaints on this
> When I attempt to connect from a domain joined Windows client I get
> prompted for credentials, and domain credentials do not work. It seems
> like the id of the user isn't passed through or looked up correctly
> after Kerberos auth, and the user is labelled as a guest user. Guest
> users are mapped to bad user in samba config. Here's a bit of logging
> when the Windows client tries to access a
> share: https://pastebin.com/pbEqj9ZR
> smb.conf: https://pastebin.com/XfeVTCDE
> sssd.conf: https://pastebin.com/Z57rRwBw
> krb5.conf: https://pastebin.com/JigdxgJ6
> Some other interesting tidbits:
> DNS is served by el6/bind, not by AD, but the AD srv records exist and
> work properly for auto discovery and binding.
> The samba server does not have a PTR record, although this seems to be
> a requirement for KDC's not members.
> The domain is ad.localdomain.com
, but hosts (including the samba
> server) have fqdn assigned by dhcp as <hostname>.dhcp.localdomain.com
> Any help is appreciated, usually its the Linux client that ends up
> being a pain, this is the first time for me a Windows client is having
> issues authing.
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org