Team,
I am having issues getting samba to work with AD authentication using SSSD. Here are the relevant configuration files and error logs:
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = MYDOMAIN.COM
services = nss, pam, pac, ssh
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True
#ldap_idmap_range_size = 2000000000
#ldap_idmap_range_size = 2000000000
[domain/MYDOMAIN.COM]
ad_domain = MYDOMAIN.COM
krb5_realm = MYDOMAIN.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = server.MYDOMAIN.COM
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_id_mapping = true
ldap_idmap_default_domain_sid = <my SID>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad
-------------------------------------------------------------------------------------------------------------
cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
proxiable = true
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.COM = {
kdc = SERVER1.MYDOMAIN.COM
admin_server = SERVER2.MYDOMAIN.COM
admin_server = SERVER1.MYDOMAIN.COM
admin_server = SERVER3.MYDOMAIN.COM
admin_server = SERVER4.MYDOMAIN.COM
}
[domain_realm]
.MYDOMAIN.COM = MYDOMAIN.COM
MYDOMAIN.COM = MYDOMAIN.COM
---------------------------------------------------------------------
cat /etc/samba/smb.conf
[global]
workgroup = my
realm = MYDOMAIN.COM
netbios name = <SERVER NAME>
password server = *
server string = Samba Server Version %v
security =ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
passdb backend = tdbsam
guest account = nobody
log level = 4
local master = no
domain master = no
preferred master = no
# kerberos method = system keytab
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab
wins support = no
wins proxy = no
client signing = yes
client use spnego = yes
dns proxy = yes
name resolve order = wins bcast host lmhosts
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = <username>
path = /home/homes
[homes1]
comment = Home Directories
browseable = no
writable = yes
valid users = @"<ad group name>@mydomain.com"
path = /home/homes1
-----------------------------------------------------------------------------------------------
NOTE: I am using "ktutil" to generate the kerberos ticket and saving it in /etc/krb5.keytab, ssh using an AD username to the server is working without issue.
------------------------------------------------------------------------------------------------
This is the message I am getting in the samba logs:
[2015/06/08 14:16:22.436362, 1] ../source3/librpc/crypto/gse.c:466(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Wrong principal in request]
[2015/06/08 14:16:22.436445, 1] ../auth/gensec/spnego.c:576(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2015/06/08 14:16:22.436554, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOGON_FAILURE
----------------------------------------------------------------------------------------------------
Google seraches did not suggest using ktutil to create a kerberos ticket, but I had no choice as kinit was not creating a keytab file. Please excuse my limited knowledge of kerberos.
So, ssh works w/o issue but samba does not.
As always all help will be appreciated. Regards,
Kartik Vashishta
SSSD and Samba
-
- Posts: 66
- Joined: 2015/02/15 18:35:55
Re: SSSD and Samba
Team,
Got the CentOS7 + SSSD + samba configuration working. Here are the steps and the configuration files. Please note that you will have to substitute your values for the stuff in "<>". The "<>" are not needed. Uppercase when used should be in uppercase.
These are the steps:
NOTE: The configuration file values which worked for me are given after these steps.
1)vi /etc/krb5.conf
2)yum install sssd -y
3)vi /etc/sssd/sssd.conf
4)chmod 0600 /etc/sssd/sssd.conf
5)ktutil (the syntax of this command is explained after these steps)
6)authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
7)systemctl start sssd
8)systemctl enable sssd
9)adcli join
NOTE: Please lookup the syntax of the adcli command. We avoid the realm command as it strips away important configuration from sssd.conf. You may try the realm command and it might work for you.
10)yum install samba -y
11)vi /etc/samba/smb.conf
12)net ads join -U <AD username%Password>
13)systemctl start smb
14)systemctl enable smb
---------------------------------------------------------
The configuration files:
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = MYDOMAIN.COM
services = nss, pam, pac, ssh
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True
#ldap_idmap_range_size = 2000000000
#ldap_idmap_range_size = 2000000000
[domain/MYDOMAIN.COM]
ad_domain = MYDOMAIN.COM
krb5_realm = MYDOMAIN.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = SERVER2.MYDOMAIN.COM
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_id_mapping = true
ldap_idmap_default_domain_sid = <sid>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad
------------------------------------------------------------------
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
MYDOMAIN.COM = {
kdc = SERVER1.MYDOMAIN.COM
admin_server = SERVER1.MYDOMAIN.COM
admin_server = SERVER2.MYDOMAIN.COM
admin_server = SERVER3.MYDOMAIN.COM
admin_server = SERVER4.MYDOMAIN.COM
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
--------------------------------------------------------------------------------------
/etc/samba/smb.conf
[global]
workgroup = my
realm = MYDOMAIN.COM
netbios name = <server hostname>
password server = *
server string = Samba Server Version %v
security =ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
log level = 4
local master = no
domain master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = <AD username>
path = /home/homes
[homes1]
comment = Home Directories
browseable = no
writable = yes
valid users = @"<AD group@mydomain.com>"
path = /home/homes1
-------------------------------------------------------------------
How to use ktutil
#ktutil
#ktutil: addent -password -p username@ADS.IU.EDU -k 1 -e rc4-hmac
Password for username@ADS.IU.EDU: [enter your password]
#ktutil: wkt /etc/krb5.keytab
#ktutil: quit
Got the CentOS7 + SSSD + samba configuration working. Here are the steps and the configuration files. Please note that you will have to substitute your values for the stuff in "<>". The "<>" are not needed. Uppercase when used should be in uppercase.
These are the steps:
NOTE: The configuration file values which worked for me are given after these steps.
1)vi /etc/krb5.conf
2)yum install sssd -y
3)vi /etc/sssd/sssd.conf
4)chmod 0600 /etc/sssd/sssd.conf
5)ktutil (the syntax of this command is explained after these steps)
6)authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
7)systemctl start sssd
8)systemctl enable sssd
9)adcli join
NOTE: Please lookup the syntax of the adcli command. We avoid the realm command as it strips away important configuration from sssd.conf. You may try the realm command and it might work for you.
10)yum install samba -y
11)vi /etc/samba/smb.conf
12)net ads join -U <AD username%Password>
13)systemctl start smb
14)systemctl enable smb
---------------------------------------------------------
The configuration files:
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = MYDOMAIN.COM
services = nss, pam, pac, ssh
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
# Comment out if you prefer to user shortnames.
#use_fully_qualified_names = True
#ldap_idmap_range_size = 2000000000
#ldap_idmap_range_size = 2000000000
[domain/MYDOMAIN.COM]
ad_domain = MYDOMAIN.COM
krb5_realm = MYDOMAIN.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = SERVER2.MYDOMAIN.COM
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
ldap_id_mapping = true
ldap_idmap_default_domain_sid = <sid>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad
------------------------------------------------------------------
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
MYDOMAIN.COM = {
kdc = SERVER1.MYDOMAIN.COM
admin_server = SERVER1.MYDOMAIN.COM
admin_server = SERVER2.MYDOMAIN.COM
admin_server = SERVER3.MYDOMAIN.COM
admin_server = SERVER4.MYDOMAIN.COM
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
--------------------------------------------------------------------------------------
/etc/samba/smb.conf
[global]
workgroup = my
realm = MYDOMAIN.COM
netbios name = <server hostname>
password server = *
server string = Samba Server Version %v
security =ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
log level = 4
local master = no
domain master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = <AD username>
path = /home/homes
[homes1]
comment = Home Directories
browseable = no
writable = yes
valid users = @"<AD group@mydomain.com>"
path = /home/homes1
-------------------------------------------------------------------
How to use ktutil
#ktutil
#ktutil: addent -password -p username@ADS.IU.EDU -k 1 -e rc4-hmac
Password for username@ADS.IU.EDU: [enter your password]
#ktutil: wkt /etc/krb5.keytab
#ktutil: quit
Re: SSSD and Samba
One year later, but this was *very* helpful to me. Thank you so much for the clear and thorough explanation. -- Dave
Re: SSSD and Samba
Thank you! Thank you. Thank YOU!
Two years later and this is still the best/easiest way to configure centos + samba + sssd + kerberos!
I made some minor tweaks:
Apparently, you can use the `net` tool to replace ktutil, but the use here is straight-forward enough.
And some googling indicates that you probably don't have to join the domain three times (once in ktuil, once with adcli and once with net), but this doesn't seem to hurt anything.
So, to put it all together, here's a handy provisioning script that can be easily incorporated into your puppet/chef/ansible/whatever:
Two years later and this is still the best/easiest way to configure centos + samba + sssd + kerberos!
I made some minor tweaks:
- In sssd.conf, you can no longer "use_full_qualified_names = False" for a domain scope.
- In sssd.conf, you can configure dyndns to keep the DC updated with "dyndns_update = True"
- In smb.conf, you can enable home directory auto-creation with "obey pam restrictions = yes"
- If you use selinux, you'll need to allow samba to see and/or create home directories:
Code: Select all
setsebool -P samba_create_home_dirs on
setsebool -P samba_enable_home_dirs on
setsebool -P use_samba_home_dirs on
And some googling indicates that you probably don't have to join the domain three times (once in ktuil, once with adcli and once with net), but this doesn't seem to hurt anything.
So, to put it all together, here's a handy provisioning script that can be easily incorporated into your puppet/chef/ansible/whatever:
Code: Select all
export SETUP_ADDOMAIN=SITE.LOCAL
export SETUP_FQDOMAIN=site.local
export SETUP_ADMIN_USER=joiner
export SETUP_ADMIN_PASSWORD="nacho libre is king"
export SETUP_ADMIN_GROUP="domain admins"
alias install="yum install -y"
export SETUP_DC=$( adcli info ${SETUP_ADDOMAIN} | grep '^domain-controllers = ' | awk '{print $3}' )
# configure kerberos
cat > /etc/krb5.conf << EOM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ${SETUP_ADDOMAIN}
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
${SETUP_ADDOMAIN} = {
kdc = ${SETUP_DC}
admin_server = ${SETUP_DC}
}
[domain_realm]
.${SETUP_FQDOMAIN} = ${SETUP_ADDOMAIN}
${SETUP_FQDOMAIN} = ${SETUP_ADDOMAIN}
EOM
# configure sssd
install sssd
cat > /etc/sssd/sssd.conf << EOM
[sssd]
services = nss, pam, ssh, pac
config_file_version = 2
domains = ${SETUP_ADDOMAIN}
[domain/${SETUP_ADDOMAIN}]
ad_domain = ${SETUP_ADDOMAIN}
krb5_realm = ${SETUP_ADDOMAIN}
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_server = ${SETUP_DC}
krb5_ccachedir = /tmp
krb5_store_password_if_offline = True
default_shell = /bin/bash
#use_full_qualified_names = False
override_homedir = /home/%u
ldap_id_mapping = True
# ldap_idmap_default_domain_sid = <sid>
ldap_idmap_autorid_compat = True
ldap_max_id = 2000200000
ldap_idmap_range_size = 2000000000
access_provider = ad
chpass_provider = ad
# enable dynamic dns updates
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
EOM
chmod 600 /etc/sssd/sssd.conf
# install keytab with ktutil
ktutil << EOM
addent -password -p ${SETUP_ADMIN_USER}@${SETUP_ADDOMAIN} -k 1 -e rc4-hmac
${SETUP_ADMIN_PASSWORD}
wkt /etc/krb5.keytab
quit
EOM
# enable sssd
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
systemctl enable sssd
systemctl start sssd
# join domain from the sssd side
echo -n ${SETUP_ADMIN_PASSWORD} | adcli join --stdin-password -U ${SETUP_ADMIN_USER} ${SETUP_ADDOMAIN}
# configure samba (member server is default configuration)
install samba
cat > /etc/samba/smb.conf << EOM
[global]
workgroup = $( echo $SETUP_ADDOMAIN | cut -d. -f1 )
realm = ${SETUP_ADDOMAIN}
netbios name = ${SETUP_HOSTNAME}
password server = *
server string = Samba Server Version %v
security = ADS
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
idmap config * : backend = tdb
log level = 4
local master = no
domain master = no
preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
name resolve order = wins bcast host lmhosts
obey pam restrictions = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = @"domain users${SETUP_FQDOMAIN}"
path = /home/%U
EOM
# join domain from the samba side
echo -n ${SETUP_ADMIN_PASSWORD} | net ads join -U ${SETUP_ADMIN_USER}
systemctl enable smb
systemctl start smb
# sss takes over /etc/nsswitch for sudoers. remove that (avoids frequent "SECURITY information" emails in debian)
sudo sed -i /^sudoers:/s/sss// /etc/nsswitch.conf
# configure selinux
setsebool -P samba_create_home_dirs on
setsebool -P samba_enable_home_dirs on
setsebool -P use_samba_home_dirs on
# NOTE: Read samba_selinux(8) man page for configuring shares
-
- Posts: 1
- Joined: 2015/03/24 17:42:21
Re: SSSD and Samba
So with the way you're doing it you don't technically need to use ktutil at all.. What kinit & ktutil are doing is getting a TGT or Ticket-Granting Ticket. This just gets you a Kerberos ticket with your username and pass.
With ktutil you're creating a keytab that is storing your credentials in an encrypted form. I would really only use ktutil if I'm trying to automate the join of many servers to the domain.
If you're just working on one server I would:
kinit user@DOMAIN.COM
So kinit & ktutil don't actually join to the domain they just get a TGT.
However, you are correct in that you don't actually need to do both 'adcli join' and 'net ads join' one or the other is sufficient. If you're creating a keytab though you can use net ads -k to use the authentication you used in the keytab and join the server without needing to manually type in your password and stuff.
With ktutil you're creating a keytab that is storing your credentials in an encrypted form. I would really only use ktutil if I'm trying to automate the join of many servers to the domain.
If you're just working on one server I would:
kinit user@DOMAIN.COM
So kinit & ktutil don't actually join to the domain they just get a TGT.
However, you are correct in that you don't actually need to do both 'adcli join' and 'net ads join' one or the other is sufficient. If you're creating a keytab though you can use net ads -k to use the authentication you used in the keytab and join the server without needing to manually type in your password and stuff.