SSSD and Samba

Issues related to applications and software problems
Post Reply
kvashishta
Posts: 66
Joined: 2015/02/15 18:35:55

SSSD and Samba

Post by kvashishta » 2015/06/08 14:32:22

Team,

I am having issues getting samba to work with AD authentication using SSSD. Here are the relevant configuration files and error logs:

/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = MYDOMAIN.COM
services = nss, pam, pac, ssh

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM

# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True
#ldap_idmap_range_size = 2000000000

#ldap_idmap_range_size = 2000000000


[domain/MYDOMAIN.COM]
ad_domain = MYDOMAIN.COM
krb5_realm = MYDOMAIN.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = server.MYDOMAIN.COM
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_id_mapping = true
ldap_idmap_default_domain_sid = <my SID>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad

-------------------------------------------------------------------------------------------------------------

cat /etc/krb5.conf
[logging]

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
proxiable = true
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.COM = {
kdc = SERVER1.MYDOMAIN.COM
admin_server = SERVER2.MYDOMAIN.COM
admin_server = SERVER1.MYDOMAIN.COM
admin_server = SERVER3.MYDOMAIN.COM
admin_server = SERVER4.MYDOMAIN.COM
}

[domain_realm]
.MYDOMAIN.COM = MYDOMAIN.COM
MYDOMAIN.COM = MYDOMAIN.COM

---------------------------------------------------------------------

cat /etc/samba/smb.conf
[global]
workgroup = my
realm = MYDOMAIN.COM
netbios name = <SERVER NAME>
password server = *
server string = Samba Server Version %v
security =ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
passdb backend = tdbsam
guest account = nobody
log level = 4
local master = no
domain master = no
preferred master = no
# kerberos method = system keytab
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
wins support = no
wins proxy = no
client signing = yes
client use spnego = yes
dns proxy = yes
name resolve order = wins bcast host lmhosts
#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = <username>
path = /home/homes
[homes1]
comment = Home Directories
browseable = no
writable = yes
valid users = @"<ad group name>@mydomain.com"
path = /home/homes1

-----------------------------------------------------------------------------------------------
NOTE: I am using "ktutil" to generate the kerberos ticket and saving it in /etc/krb5.keytab, ssh using an AD username to the server is working without issue.
------------------------------------------------------------------------------------------------

This is the message I am getting in the samba logs:

[2015/06/08 14:16:22.436362, 1] ../source3/librpc/crypto/gse.c:466(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Wrong principal in request]
[2015/06/08 14:16:22.436445, 1] ../auth/gensec/spnego.c:576(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2015/06/08 14:16:22.436554, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE

----------------------------------------------------------------------------------------------------

Google seraches did not suggest using ktutil to create a kerberos ticket, but I had no choice as kinit was not creating a keytab file. Please excuse my limited knowledge of kerberos.
So, ssh works w/o issue but samba does not.

As always all help will be appreciated. Regards,

Kartik Vashishta

kvashishta
Posts: 66
Joined: 2015/02/15 18:35:55

Re: SSSD and Samba

Post by kvashishta » 2015/06/14 01:37:20

Team,

Got the CentOS7 + SSSD + samba configuration working. Here are the steps and the configuration files. Please note that you will have to substitute your values for the stuff in "<>". The "<>" are not needed. Uppercase when used should be in uppercase.

These are the steps:
NOTE: The configuration file values which worked for me are given after these steps.

1)vi /etc/krb5.conf

2)yum install sssd -y

3)vi /etc/sssd/sssd.conf

4)chmod 0600 /etc/sssd/sssd.conf

5)ktutil (the syntax of this command is explained after these steps)

6)authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

7)systemctl start sssd

8)systemctl enable sssd

9)adcli join
NOTE: Please lookup the syntax of the adcli command. We avoid the realm command as it strips away important configuration from sssd.conf. You may try the realm command and it might work for you.

10)yum install samba -y

11)vi /etc/samba/smb.conf

12)net ads join -U <AD username%Password>

13)systemctl start smb

14)systemctl enable smb


---------------------------------------------------------
The configuration files:

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
domains = MYDOMAIN.COM
services = nss, pam, pac, ssh

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM

# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True
#ldap_idmap_range_size = 2000000000

#ldap_idmap_range_size = 2000000000


[domain/MYDOMAIN.COM]
ad_domain = MYDOMAIN.COM
krb5_realm = MYDOMAIN.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = SERVER2.MYDOMAIN.COM
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_id_mapping = true
ldap_idmap_default_domain_sid = <sid>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad

------------------------------------------------------------------
/etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
MYDOMAIN.COM = {
kdc = SERVER1.MYDOMAIN.COM
admin_server = SERVER1.MYDOMAIN.COM
admin_server = SERVER2.MYDOMAIN.COM
admin_server = SERVER3.MYDOMAIN.COM
admin_server = SERVER4.MYDOMAIN.COM
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
--------------------------------------------------------------------------------------
/etc/samba/smb.conf

[global]
workgroup = my
realm = MYDOMAIN.COM
netbios name = <server hostname>
password server = *
server string = Samba Server Version %v
security =ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
log level = 4
local master = no
domain master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts

#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = <AD username>
path = /home/homes
[homes1]
comment = Home Directories
browseable = no
writable = yes
valid users = @"<AD group@mydomain.com>"
path = /home/homes1

-------------------------------------------------------------------
How to use ktutil
#ktutil
#ktutil: addent -password -p username@ADS.IU.EDU -k 1 -e rc4-hmac
Password for username@ADS.IU.EDU: [enter your password]
#ktutil: wkt /etc/krb5.keytab
#ktutil: quit

davexm
Posts: 1
Joined: 2016/07/07 16:32:50

Re: SSSD and Samba

Post by davexm » 2016/07/07 16:47:04

One year later, but this was *very* helpful to me. Thank you so much for the clear and thorough explanation. -- Dave

wsmith
Posts: 1
Joined: 2017/10/02 18:43:24

Re: SSSD and Samba

Post by wsmith » 2017/10/02 18:58:57

Thank you! Thank you. Thank YOU!

Two years later and this is still the best/easiest way to configure centos + samba + sssd + kerberos!

I made some minor tweaks:
  • In sssd.conf, you can no longer "use_full_qualified_names = False" for a domain scope.
  • In sssd.conf, you can configure dyndns to keep the DC updated with "dyndns_update = True"
  • In smb.conf, you can enable home directory auto-creation with "obey pam restrictions = yes"
  • If you use selinux, you'll need to allow samba to see and/or create home directories:

Code: Select all

setsebool -P samba_create_home_dirs on
setsebool -P samba_enable_home_dirs on
setsebool -P use_samba_home_dirs on
Apparently, you can use the `net` tool to replace ktutil, but the use here is straight-forward enough.

And some googling indicates that you probably don't have to join the domain three times (once in ktuil, once with adcli and once with net), but this doesn't seem to hurt anything.

So, to put it all together, here's a handy provisioning script that can be easily incorporated into your puppet/chef/ansible/whatever:

Code: Select all

export SETUP_ADDOMAIN=SITE.LOCAL
export SETUP_FQDOMAIN=site.local
export SETUP_ADMIN_USER=joiner
export SETUP_ADMIN_PASSWORD="nacho libre is king"
export SETUP_ADMIN_GROUP="domain admins"

alias install="yum install -y"


export SETUP_DC=$( adcli info ${SETUP_ADDOMAIN} | grep '^domain-controllers = ' | awk '{print $3}' )

# configure kerberos
cat > /etc/krb5.conf << EOM

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ${SETUP_ADDOMAIN}
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_keytab_name = FILE:/etc/krb5.keytab

[realms]
 ${SETUP_ADDOMAIN} = {
  kdc = ${SETUP_DC}
  admin_server = ${SETUP_DC}
 }

[domain_realm]
 .${SETUP_FQDOMAIN} = ${SETUP_ADDOMAIN}
 ${SETUP_FQDOMAIN} = ${SETUP_ADDOMAIN}

EOM

# configure sssd

install sssd

cat >  /etc/sssd/sssd.conf << EOM

[sssd]
services = nss, pam, ssh, pac
config_file_version = 2
domains = ${SETUP_ADDOMAIN}

[domain/${SETUP_ADDOMAIN}]
ad_domain = ${SETUP_ADDOMAIN}
krb5_realm = ${SETUP_ADDOMAIN}
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = ${SETUP_DC}
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
#use_full_qualified_names = False
override_homedir = /home/%u
ldap_id_mapping = True
# ldap_idmap_default_domain_sid = <sid>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad
chpass_provider = ad

# enable dynamic dns updates
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

EOM

chmod 600 /etc/sssd/sssd.conf

# install keytab with ktutil
ktutil << EOM
addent -password -p ${SETUP_ADMIN_USER}@${SETUP_ADDOMAIN} -k 1 -e rc4-hmac
${SETUP_ADMIN_PASSWORD}
wkt /etc/krb5.keytab
quit
EOM

# enable sssd
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

systemctl enable sssd
systemctl start sssd

# join domain from the sssd side
echo -n ${SETUP_ADMIN_PASSWORD} | adcli join --stdin-password -U ${SETUP_ADMIN_USER} ${SETUP_ADDOMAIN}

# configure samba (member server is default configuration)

install samba

cat > /etc/samba/smb.conf << EOM
[global]
  workgroup = $( echo $SETUP_ADDOMAIN | cut -d. -f1 )
  realm = ${SETUP_ADDOMAIN}
  netbios name = ${SETUP_HOSTNAME}
  password server = *
  server string = Samba Server Version %v
  security = ADS
  log file = /var/log/samba/log.%m
  max log size = 5000
  load printers = No
  idmap config * : backend = tdb
  log level = 4
  local master = no
  domain master = no
  preferred master = no
  wins support = no
  wins proxy = no
  dns proxy = yes
  name resolve order = wins bcast host lmhosts
  obey pam restrictions = yes
  
[homes]
  comment = Home Directories
  browseable = no
  writable = yes
  valid users = @"domain users${SETUP_FQDOMAIN}"
  path = /home/%U
EOM


# join domain from the samba side
echo -n ${SETUP_ADMIN_PASSWORD} | net ads join -U ${SETUP_ADMIN_USER}

systemctl enable smb
systemctl start smb

# sss takes over /etc/nsswitch for sudoers. remove that (avoids frequent "SECURITY information" emails in debian)
sudo sed -i /^sudoers:/s/sss// /etc/nsswitch.conf

# configure selinux
setsebool -P samba_create_home_dirs on
setsebool -P samba_enable_home_dirs on
setsebool -P use_samba_home_dirs on

# NOTE: Read samba_selinux(8) man page for configuring shares

whynotkeithberg
Posts: 1
Joined: 2015/03/24 17:42:21

Re: SSSD and Samba

Post by whynotkeithberg » 2017/11/22 15:23:50

So with the way you're doing it you don't technically need to use ktutil at all.. What kinit & ktutil are doing is getting a TGT or Ticket-Granting Ticket. This just gets you a Kerberos ticket with your username and pass.

With ktutil you're creating a keytab that is storing your credentials in an encrypted form. I would really only use ktutil if I'm trying to automate the join of many servers to the domain.

If you're just working on one server I would:

kinit user@DOMAIN.COM

So kinit & ktutil don't actually join to the domain they just get a TGT.

However, you are correct in that you don't actually need to do both 'adcli join' and 'net ads join' one or the other is sufficient. If you're creating a keytab though you can use net ads -k to use the authentication you used in the keytab and join the server without needing to manually type in your password and stuff.

Post Reply