Web lists-archives.com

Re: [Samba] 4.5 -> 4.8 samba fails to start




On Tue, 26 Jun 2018 16:22:36 -0500
Chad William Seys <cwseys@xxxxxxxxxxxxxxxx> wrote:

> Hi Rowland,
>    Thanks for your explanation.
>    We have set up Samba to authenticate users against an external MIT 
> Kerberos server and usernames match those in Unix password files.
> 
>    The setup was almost exactly like the Ubuntu help page:
> https://help.ubuntu.com/community/Samba/Kerberos#MIT_Kerberos
>    There are others who have also set up Samba this way:
> https://serverfault.com/questions/659017/possible-to-authenticate-samba-via-kerberos-but-without-domain-join
>    and others who have contacted the mailing list for help in setting
> up Samba this way:
> https://lists.samba.org/archive/samba/2017-April/207728.html
> 
>    After a hint from the Debian bug report (thanks Dan!) I was able
> to get Samba working with the external MIT KDC using SSSD.  (A
> working config is below for the interested.)

Samba does not support sssd, it isn't a Samba product

>    However, it would be great if this would function using all Samba 
> software as previously.

It is supported, you just have to use winbind and join the domain.

>    Is there a way to set up winbind/idmap to restore the behavior
> that "smbd directly contacts domain controllers"? (Quoted phrase from
> the 4.8 release notes.)

Don't think so, the option was explicitly removed from smbd.
 
> 
> Thanks for the great software!
> Chad.
> 
> smb.conf:
> # Global parameters
> # Note that some of these will vary depending on your setup!
> # E.g. do you  use vfs_fruit?
> [global]
>          dns proxy = No
>          hostname lookups = Yes
>          kerberos method = secrets and keytab
>          logging = syslog@1 /var/log/samba/log.%m
>          map to guest = Bad User
>          max log size = 100000
>          panic action = /usr/share/samba/panic-action %d
>          realm = YOUR.KERB.REALM
>          security = USER
>          server signing = required
>          server string = %h server
>          workgroup = MYWORKGR
>          fruit:nfs_aces = no
>          idmap config * : backend = tdb

Nice STANDALONE SERVER smb.conf.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba