Disabling SMBv1 on DC breaks authentication from clients

Tuesday, 28 February 2017

We have multiple linux servers configured with SSSD/realmd for authentication to Active
Directory. The systems are configured without winbind so using Kerberos to authenticate to
the domain.  Once SMBv1 was disabled on the domain controller none of the machines could
authenticate users. Any idea on why this would happen when we should be configured for
kerberos authentication?

**** /etc/sssd/sssd.conf ****
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
shell_fallback = /bin/bash
fallback_homedir = /home/%u

[pam]
reconnection_retries = 3

[sssd]
domains = internal.example.domain
config_file_version = 2
services = nss, pam, ifp

[domain/internal.example.domain]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
dyndns_update = False
ad_domain = internal.example.domain
krb5_realm = INTERNAL.EXAMPLE.DOMAIN
realmd_tags = manages-system joined-with-adcli
cache_credentials = False
krb5_store_password_if_offline = False
ldap_id_mapping = True
use_fully_qualified_names = False
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
entry_cache_timeout = 0
ad_enable_gc = False

**** /etc/krb5.conf ****
[libdefaults]
        default_realm = INTERNAL.EXAMPLE.DOMAIN

**** realm list ****
% sudo realm list
internal.example.domain
  type: kerberos
  realm-name: INTERNAL.EXAMPLE.DOMAIN
  domain-name: internal.example.domain
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins

--
Brenden

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012