Web lists-archives.com

Re: [Samba] recommended smb.conf configuration for AD with realm+sssd

On Thu, 19 Apr 2018 10:52:51 +0200
Alexander Fieroch via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> Our linux clients are integrated to AD by the tool "realm" (no "net
> ads join") and use "sssd" for authenticating AD users. What is the 
> recommended configuration for smb.conf to authenticate AD users for 
> directory shares?

Well, if this is a Debian based OS, it would be 'apt-get purge sssd' ;-)

You do not need sssd and it isn't a Samba tool and isn't supported by
Samba, 'winbind' will do virtually everything that sssd can.

> First, it looks like the configuration for "security" should be "ADS" 
> and "server role" should be "member server" because these linux
> clients are domain members, but manpage for smb.conf says "ADS" and
> "member server" is for clients joined by the "net" utility which is
> not done here.
> So what is the recommended configuration in smb.conf for linux
> clients joined to AD by realm and use sssd for authentication?
>     security = ?
>     server role = ?
>     kerberos method = system keytab

It doesn't matter how you join the domain, those settings are the same
> Additionally I have to add manually a cifs/ SPN on the Windows DC
> with setspn for that machine account to get access on its samba
> shares. Can I add the cifs/ SPN entry with any linux rpc-tool?

Not that I am aware of (cue lots of people saying use this or that),
you will probably have to use ldap and add the attribute, just take
care you don't wipe out any existing SPNs


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba