Web lists-archives.com

[Samba] 4.5 -> 4.8 samba fails to start




Hi Rowland,
  Thanks for your explanation.
We have set up Samba to authenticate users against an external MIT Kerberos server and usernames match those in Unix password files.

  The setup was almost exactly like the Ubuntu help page:
https://help.ubuntu.com/community/Samba/Kerberos#MIT_Kerberos
  There are others who have also set up Samba this way:
https://serverfault.com/questions/659017/possible-to-authenticate-samba-via-kerberos-but-without-domain-join
and others who have contacted the mailing list for help in setting up Samba this way:
https://lists.samba.org/archive/samba/2017-April/207728.html

After a hint from the Debian bug report (thanks Dan!) I was able to get Samba working with the external MIT KDC using SSSD. (A working config is below for the interested.) However, it would be great if this would function using all Samba software as previously. Is there a way to set up winbind/idmap to restore the behavior that "smbd directly contacts domain controllers"? (Quoted phrase from the 4.8 release notes.)

Thanks for the great software!
Chad.

smb.conf:
# Global parameters
# Note that some of these will vary depending on your setup!
# E.g. do you  use vfs_fruit?
[global]
        dns proxy = No
        hostname lookups = Yes
        kerberos method = secrets and keytab
        logging = syslog@1 /var/log/samba/log.%m
        map to guest = Bad User
        max log size = 100000
        panic action = /usr/share/samba/panic-action %d
        realm = YOUR.KERB.REALM
        security = USER
        server signing = required
        server string = %h server
        workgroup = MYWORKGR
        fruit:nfs_aces = no
        idmap config * : backend = tdb
--------------------------------------------
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
debug_level = 7
domains = YOUR.KERB.REALM

[nss]
filter_groups = root
filter_users = root
debug_level = 7

[pam]
debug_level = 7

[domain/YOUR.KERB.REALM]
debug_level = 7
enumerate = false

# use Unix password files for username validation
id_provider = proxy
proxy_lib_name = files


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba