Web lists-archives.com

Re: [Samba] AD authentication issue in Samba (kerberos errors)





On 3/20/19 9:40 AM, Rowland Penny via samba wrote:
On Wed, 20 Mar 2019 17:22:36 +0200
"linux.il via samba" <samba@xxxxxxxxxxxxxxx> wrote:
Rowland,
Thank you, I'll try to implement your suggestions.
But it definitely worked without winbind.

Then your 'Samba' problem isn't a Samba problem :-)

AS far as Samba is concerned, you have always needed to run winbind on a
Unix ads domain member. It became mandatory from 4.8.0

I will also second that windbind is not necessary on a member server. I have 4 Centos 7 member servers and none of them have winbind running on them. Each of these use SSSD and have absolutely no problems. These systems have been operating without winbind for years. When I updated to 4.8 and 4.9 on the Samba AD which does use winbind the member servers never were updated to use winbind. So I don't know what circumstances it is deemed that winbind is necessary on a domain member. I can just confirm like the op that it is not necessary on any of the domain members I am running.

Having said that I explicitly run:

>cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)

The version of Centos runs on every linux box I have. On the AD I run the Sernet packages for Centos:

> rpm -qa | grep sernet
sernet-samba-client-4.9.5-14.el7.x86_64
sernet-samba-common-4.9.5-14.el7.x86_64
sernet-samba-4.9.5-14.el7.x86_64
sernet-samba-libs-4.9.5-14.el7.x86_64
sernet-samba-ad-4.9.5-14.el7.x86_64
sernet-samba-winbind-4.9.5-14.el7.x86_64
sernet-samba-libsmbclient0-4.9.5-14.el7.x86_64

On each member server I have these RPMs from the Centos repository installed:

>rpm -qa | grep samba

samba-libs-4.8.3-4.el7.x86_64
samba-common-libs-4.8.3-4.el7.x86_64
samba-common-4.8.3-4.el7.noarch
samba-client-libs-4.8.3-4.el7.x86_64
samba-4.8.3-4.el7.x86_64
samba-common-tools-4.8.3-4.el7.x86_64
samba-client-4.8.3-4.el7.x86_64

None of these samba packages contain winbind"

> rpm -ql `rpm -qa | grep samba` | grep winbind
/var/run/winbindd

The /var/run/winbindd directory is only where the process ID would end up if I were running winbind. The actual Centos RPM containing swinbind is in package samba-winbind which as you can see is not listed on the member server samba package list.

Here is the result of a ps on one of my member servers:

> ps auxww | grep win
prg-118+ 21497  0.0  0.0 112708   972 pts/2    S+   19:38   0:00 grep --color=auto win

Note there is no winbindd running.

Moreover here is the result of a getent passwd user (I sanitized the user) on a member server not running winbindd:

> getent passwd user:

user:*:10000:10513:User Name:/home/user:/bin/bash

Here is the the samba config /etc/smb.conf from the same member server:

global]
   security = ads
   realm = MYHOME.EXAMPLE.COM
   workgroup = MYHOME

   log file = /var/log/samba/%m.log

   kerberos method = secrets and keytab

   idmap config *:backend = tdb
   idmap config *:range = 30000-100000
   idmap config MYHOME:backend = ad
   idmap config MYHOME:schema_mode = rfc2307
   idmap config MYHOME:range = 10000-29999

Note that the user ID falls in my the domain MYHOME range so it is indeed an AD user.

So maybe someday I will have problems but using SSSD with a proper setup allows me to use a Samba AD without having to run winbind on the member server. I will continue to operate like that until the day I have an issue so I will keep this message handy in a note book just in case. But I firmly believe that a proper SSSD setup precludes the need for winbind at this point in time.

--
Paul (ganci@xxxxxxxxxx)
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba