Web lists-archives.com

Re: [Samba] AD authentication issue in Samba (kerberos errors)




On Wed, 20 Mar 2019 19:56:10 -0600
"Paul R. Ganci via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> On 3/20/19 9:40 AM, Rowland Penny via samba wrote:
> > On Wed, 20 Mar 2019 17:22:36 +0200
> > "linux.il via samba" <samba@xxxxxxxxxxxxxxx> wrote:  
> >> Rowland,
> >> Thank you, I'll try to implement your suggestions.
> >> But it definitely worked without winbind.
> >>
> >> Then your 'Samba' problem isn't a Samba problem :-)
> >>
> >> AS far as Samba is concerned, you have always needed to run
> >> winbind on a Unix ads domain member. It became mandatory from
> >> 4.8.0  
> 
> I will also second that windbind is not necessary on a member server.
> I have 4 Centos 7 member servers and none of them have winbind
> running on them. Each of these use SSSD and have absolutely no
> problems. These systems have been operating without winbind for
> years. When I updated to 4.8 and 4.9 on the Samba AD which does use
> winbind the member servers never were updated to use winbind. So I
> don't know what circumstances it is deemed that winbind is necessary
> on a domain member. I can just confirm like the op that it is not
> necessary on any of the domain members I am running.
> 

If you go here:

https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed

Under the heading 'Samba 4.8.0', there is the subheading 'Domain member
setups require winbindd', where it clearly says this:

Setups with "security = domain" or "security = ads" require a running
'winbindd' now. The fallback that smbd directly contacts domain
controllers is gone. 

You may be getting local auth to work without winbind because you are
using sssd, but there is a very great danger of problems with Samba if
winbindd isn't running.

It is your setup, so you get to pick up the pieces if something does go
wrong ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba