Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] problem authenticating with kerberos and smb
153 views
Skip to first unread message
Michael Edwards
Nov 27, 2014, 11:30:04 AM11/27/14
to
Hi folks
We're having a bit of an issue with a CentOS 6.5 box that is running
Samba 3.6.23-12. Everything was running fine until Samba was upgraded
from 3.6.9-169 to 3.6.23-12 last month, and we're now having problems
accessing the machine or any shares on it.
The machine is joined to a Windows 2008 R2 Active Directory, and we're
using Kerberos for authenticating users. The issue only occurs when
we're using Kerberos - when using NTLM there are no problems. The
machine also runs NFS, which is working fine when using Kerberos. See
below gist for log level = 10 smb log. There is an example of the
process working while using NTLM, and a few examples of it not working
when using Kerberos.
https://gist.github.com/mikes1988/381d507891b493a4e8ff
We've spent some time looking through the log, trying to pinpoint
exactly where it's breaking, and suspect that it's going wrong around
the lines I've pasted below. It looks like the domain information is
getting lost along the way, and then when we get to lookup_sid.c we're
getting the mismatched sids, presumably because one sid is for HGVNAS,
and the other is for DOMAIN. Output of sudo net getlocalsid and sudo
net getlocalsid DOMAIN are below, showing the two sids that are shown in
the log.
edwam@hgvnas:~$ sudo net getlocalsid
SID for domain HGVNAS is: S-1-5-21-127897388-885368389-1514669401
edwam@hgvnas:~$ sudo net getlocalsid DOMAIN
SID for domain DOMAIN is: S-1-5-21-2809677999-1344825738-4163663879
I would appreciate any feedback on where we're going wrong, I've pasted
our current configuration after the log - is there a configuration
option that we've missed along the way, that is now required in the
newer versions? Please let me know if there are any other logs or
configs that you need to help.
[2014/11/27 12:23:55.365650, 10] libsmb/clikrb5.c:1155(get_key_from_keytab)
get_key_from_keytab: will look for kvno 2, enctype 23 and name:
host/hgvnas.in...@INSIDE.LOCAL
[2014/11/27 12:23:55.365721, 3]
libads/kerberos_verify.c:267(ads_keytab_verify_ticket)
libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
succeeded for principal host/hgvnas.in...@INSIDE.LOCAL
[2014/11/27 12:23:55.365799, 10]
libsmb/clikrb5.c:955(get_krb5_smb_session_key)
Got KRB5 session key of length 16
[2014/11/27 12:23:55.365833, 10] libsmb/clikrb5.c:396(unwrap_pac)
authorization data is not a Windows PAC (type: 141)
[2014/11/27 12:23:55.365863, 3]
libads/kerberos_verify.c:684(ads_verify_ticket)
libads/kerberos_verify.c:684: did not retrieve auth data. continuing
without PAC
[2014/11/27 12:23:55.365928, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [ed...@INSIDE.LOCAL]
[2014/11/27 12:23:55.365977, 10]
auth/user_krb5.c:96(get_user_from_kerberos_info)
Mapping [INSIDE.LOCAL] to short name using winbindd
[2014/11/27 12:23:55.366275, 10]
auth/user_krb5.c:112(get_user_from_kerberos_info)
Domain is [DOMAIN] (using Winbind)
[2014/11/27 12:23:55.366334, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user DOMAIN\edwam
[2014/11/27 12:23:55.366365, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is domain\edwam
[2014/11/27 12:23:55.366546, 5] lib/username.c:124(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is DOMAIN\edwam
[2014/11/27 12:23:55.366704, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is DOMAIN\EDWAM
[2014/11/27 12:23:55.366978, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in domain\edwam
[2014/11/27 12:23:55.367022, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [DOMAIN\edwam]!
[2014/11/27 12:23:55.367057, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user edwam
[2014/11/27 12:23:55.367094, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is edwam
[2014/11/27 12:23:55.367124, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals did find user [edwam]!
[2014/11/27 12:23:55.367170, 6] param/loadparm.c:7490(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.shares.conf -> /etc/samba/smb.shares.conf last
mod_time: Tue Oct 22 14:30:34 2013
file /etc/samba/smb.server.conf -> /etc/samba/smb.server.conf last
mod_time: Thu Nov 27 11:19:31 2014
file /etc/samba/smb.rhel.conf -> /etc/samba/smb.rhel.conf last
mod_time: Thu Jan 1 01:00:00 1970
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Wed
Nov 26 11:26:10 2014
[2014/11/27 12:23:55.367358, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
pdb_getsampwnam (TDB): error fetching database.
Key: USER_edwam
[2014/11/27 12:23:55.367399, 10] auth/user_krb5.c:239(make_server_info_krb5)
didn't find user edwam in passdb, calling make_server_info_pw
[2014/11/27 12:23:55.367432, 10] passdb/lookup_sid.c:76(lookup_name)
lookup_name: HGVNAS\edwam => domain=[HGVNAS], name=[edwam]
...
[2014/11/27 12:23:55.374945, 1] auth/server_info.c:602(passwd_to_SamInfo3)
The primary group domain
sid(S-1-5-21-2809677999-1344825738-4163663879-513) does not match the
domain sid(S-1-5-21-127897388-885368389-1514669401) for
edwam(S-1-22-1-10181)
[2014/11/27 12:23:55.375014, 1] auth/user_krb5.c:249(make_server_info_krb5)
make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2014/11/27 12:23:55.375051, 1] smbd/sesssetup.c:381(reply_spnego_kerberos)
make_server_info_krb5 failed!
[2014/11/27 12:23:55.375099, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(385) cmd=115 (SMBsesssetupX)
NT_STATUS_INVALID_SID
/etc/samba/smb.conf:
[global]
workgroup = DOMAIN
server string = Samba/%v server at %h (CentOS release 6.5 (Final))
log file = /var/log/samba/%M.log
# only if guest logins should be possible (don't see why ATM)
;map to guest = bad user
kerberos method = system keytab
security = ads
realm = inside.local
preferred master = no
# only if guest logins should be possible and using user shares (don't
see why)
;usershare allow guests = yes
include = /etc/samba/smb.rhel.conf
include = /etc/samba/smb.server.conf
include = /etc/samba/smb.shares.conf
smb.rhel.conf is unused on this machine
/etc/samba/smb.server.conf:
# disable print sharing; see
#
http://serverfault.com/questions/207510/how-do-you-disable-smb-printing-support
load printers = no
printing = bsd
printcap name = /dev/null
# note: in samba >= 4.0 this should be enough
disable spoolss = yes
log level = 10
# make winbind use NSS (and therefore SSSD) to resolve SIDs for domain
users to
# UIDs; this is needed to allow adding/modifying ACEs on shared files from
# Windows ACL editor; it also allows the names to be mapped to proper
# DOMAIN\name format instead of being displayed as "Unix User\name"; see
# idmap_nss(8).
# - https://lists.samba.org/archive/samba/2012-June/167961.html
# - https://lists.samba.org/archive/samba/2013-January/171142.html
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = nss
idmap config DOMAIN : range = 10000-999999
/etc/samba/samba.shares.conf:
[global]
# defaults for all shares
# make samba as POSIX compliant as possible so there's no discrepancies
# between local/SMB/NFS access
# create files/dirs with at most those permissions
# (does not affect permissions being explicitly set, only defaults when
file/dir is created)
create mask = 0664
directory mask = 0775
# POSIX conformance - inherit default ACEs of the parent dir
inherit acls = yes
# do not map old DOS modes to UNIX permissions
# in particular no mapping of archive bit to u+x
# and no changes to DOS readonly, use ACLs instead
map archive = no
map readonly = permissions
# shares are writeable by default
writeable = yes
[appdata]
comment = application data
path = /srv/appdata
[backups]
comment = application and system backups
path = /srv/backups
[sysdata]
comment = system application data
path = /srv/sysdata
[scratch]
comment = scratch monkey (temp/test area)
path = /srv/scratch
Not sure if the rest are relevant:
/etc/krb5.conf:
[logging]
default = SYSLOG:DEBUG:AUTH
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
renew_lifetime = 7d
; this is only needed for samba-3.6.9 which doesn't support AES and uses DES
; by default, but since DES is not allowed by default in AD-2008 this
makes the
; host principal unusable; starting with RC4 is most compatible as it is
; allowed by AD-2008 and older; these 3 options can be removed for
; samba-3.6.10+ which will then default to AES
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
/etc/sssd/sssd.conf:
[nss]
debug_level=2
[pam]
[sssd]
config_file_version=2
domains=inside.local
services=nss, pam
[domain/inside.local
ldap_referrals=false
ldap_search_base=DC=Inside,DC=local
ldap_user_object_class=user
cache_credentials=true
enumerate=true
auth_provider=krb5
chpass_provider=krb5
ldap_user_home_directory=unixHomeDirectory
krb5_realm=INSIDE.LOCAL
krb5_server=_srv_, hgpdc01.inside.local, hgvdc01.inside.local
ldap_force_upper_case_realm=true
ldap_uri=_srv_, ldap://hgpdc01.inside.local/, ldap://hgvdc01.inside.local/
krb5_renew_interval=1800
ldap_sasl_mech=GSSAPI
min_id=10000
ldap_schema=rfc2307bis
ldap_group_object_class=group
ldap_account_expire_policy=ad
ldap_user_principal=userPrincipalName
id_provider=ldap
[#EOF#]
Other info:
OS: CentOS release 6.5
Kernel: 2.6.32-431.29.2.el6.x86_64
Thanks in advance
Michael
**********************************************************************************************
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract.
If you have received this email in error please notify sup...@henderson-group.com
John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
We're having a bit of an issue with a CentOS 6.5 box that is running
Samba 3.6.23-12. Everything was running fine until Samba was upgraded
from 3.6.9-169 to 3.6.23-12 last month, and we're now having problems
accessing the machine or any shares on it.
The machine is joined to a Windows 2008 R2 Active Directory, and we're
using Kerberos for authenticating users. The issue only occurs when
we're using Kerberos - when using NTLM there are no problems. The
machine also runs NFS, which is working fine when using Kerberos. See
below gist for log level = 10 smb log. There is an example of the
process working while using NTLM, and a few examples of it not working
when using Kerberos.
https://gist.github.com/mikes1988/381d507891b493a4e8ff
We've spent some time looking through the log, trying to pinpoint
exactly where it's breaking, and suspect that it's going wrong around
the lines I've pasted below. It looks like the domain information is
getting lost along the way, and then when we get to lookup_sid.c we're
getting the mismatched sids, presumably because one sid is for HGVNAS,
and the other is for DOMAIN. Output of sudo net getlocalsid and sudo
net getlocalsid DOMAIN are below, showing the two sids that are shown in
the log.
edwam@hgvnas:~$ sudo net getlocalsid
SID for domain HGVNAS is: S-1-5-21-127897388-885368389-1514669401
edwam@hgvnas:~$ sudo net getlocalsid DOMAIN
SID for domain DOMAIN is: S-1-5-21-2809677999-1344825738-4163663879
I would appreciate any feedback on where we're going wrong, I've pasted
our current configuration after the log - is there a configuration
option that we've missed along the way, that is now required in the
newer versions? Please let me know if there are any other logs or
configs that you need to help.
[2014/11/27 12:23:55.365650, 10] libsmb/clikrb5.c:1155(get_key_from_keytab)
get_key_from_keytab: will look for kvno 2, enctype 23 and name:
host/hgvnas.in...@INSIDE.LOCAL
[2014/11/27 12:23:55.365721, 3]
libads/kerberos_verify.c:267(ads_keytab_verify_ticket)
libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
succeeded for principal host/hgvnas.in...@INSIDE.LOCAL
[2014/11/27 12:23:55.365799, 10]
libsmb/clikrb5.c:955(get_krb5_smb_session_key)
Got KRB5 session key of length 16
[2014/11/27 12:23:55.365833, 10] libsmb/clikrb5.c:396(unwrap_pac)
authorization data is not a Windows PAC (type: 141)
[2014/11/27 12:23:55.365863, 3]
libads/kerberos_verify.c:684(ads_verify_ticket)
libads/kerberos_verify.c:684: did not retrieve auth data. continuing
without PAC
[2014/11/27 12:23:55.365928, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [ed...@INSIDE.LOCAL]
[2014/11/27 12:23:55.365977, 10]
auth/user_krb5.c:96(get_user_from_kerberos_info)
Mapping [INSIDE.LOCAL] to short name using winbindd
[2014/11/27 12:23:55.366275, 10]
auth/user_krb5.c:112(get_user_from_kerberos_info)
Domain is [DOMAIN] (using Winbind)
[2014/11/27 12:23:55.366334, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user DOMAIN\edwam
[2014/11/27 12:23:55.366365, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is domain\edwam
[2014/11/27 12:23:55.366546, 5] lib/username.c:124(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is DOMAIN\edwam
[2014/11/27 12:23:55.366704, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is DOMAIN\EDWAM
[2014/11/27 12:23:55.366978, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in domain\edwam
[2014/11/27 12:23:55.367022, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [DOMAIN\edwam]!
[2014/11/27 12:23:55.367057, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user edwam
[2014/11/27 12:23:55.367094, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is edwam
[2014/11/27 12:23:55.367124, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals did find user [edwam]!
[2014/11/27 12:23:55.367170, 6] param/loadparm.c:7490(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.shares.conf -> /etc/samba/smb.shares.conf last
mod_time: Tue Oct 22 14:30:34 2013
file /etc/samba/smb.server.conf -> /etc/samba/smb.server.conf last
mod_time: Thu Nov 27 11:19:31 2014
file /etc/samba/smb.rhel.conf -> /etc/samba/smb.rhel.conf last
mod_time: Thu Jan 1 01:00:00 1970
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Wed
Nov 26 11:26:10 2014
[2014/11/27 12:23:55.367358, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
pdb_getsampwnam (TDB): error fetching database.
Key: USER_edwam
[2014/11/27 12:23:55.367399, 10] auth/user_krb5.c:239(make_server_info_krb5)
didn't find user edwam in passdb, calling make_server_info_pw
[2014/11/27 12:23:55.367432, 10] passdb/lookup_sid.c:76(lookup_name)
lookup_name: HGVNAS\edwam => domain=[HGVNAS], name=[edwam]
...
[2014/11/27 12:23:55.374945, 1] auth/server_info.c:602(passwd_to_SamInfo3)
The primary group domain
sid(S-1-5-21-2809677999-1344825738-4163663879-513) does not match the
domain sid(S-1-5-21-127897388-885368389-1514669401) for
edwam(S-1-22-1-10181)
[2014/11/27 12:23:55.375014, 1] auth/user_krb5.c:249(make_server_info_krb5)
make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2014/11/27 12:23:55.375051, 1] smbd/sesssetup.c:381(reply_spnego_kerberos)
make_server_info_krb5 failed!
[2014/11/27 12:23:55.375099, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(385) cmd=115 (SMBsesssetupX)
NT_STATUS_INVALID_SID
/etc/samba/smb.conf:
[global]
workgroup = DOMAIN
server string = Samba/%v server at %h (CentOS release 6.5 (Final))
log file = /var/log/samba/%M.log
# only if guest logins should be possible (don't see why ATM)
;map to guest = bad user
kerberos method = system keytab
security = ads
realm = inside.local
preferred master = no
# only if guest logins should be possible and using user shares (don't
see why)
;usershare allow guests = yes
include = /etc/samba/smb.rhel.conf
include = /etc/samba/smb.server.conf
include = /etc/samba/smb.shares.conf
smb.rhel.conf is unused on this machine
/etc/samba/smb.server.conf:
# disable print sharing; see
#
http://serverfault.com/questions/207510/how-do-you-disable-smb-printing-support
load printers = no
printing = bsd
printcap name = /dev/null
# note: in samba >= 4.0 this should be enough
disable spoolss = yes
log level = 10
# make winbind use NSS (and therefore SSSD) to resolve SIDs for domain
users to
# UIDs; this is needed to allow adding/modifying ACEs on shared files from
# Windows ACL editor; it also allows the names to be mapped to proper
# DOMAIN\name format instead of being displayed as "Unix User\name"; see
# idmap_nss(8).
# - https://lists.samba.org/archive/samba/2012-June/167961.html
# - https://lists.samba.org/archive/samba/2013-January/171142.html
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = nss
idmap config DOMAIN : range = 10000-999999
/etc/samba/samba.shares.conf:
[global]
# defaults for all shares
# make samba as POSIX compliant as possible so there's no discrepancies
# between local/SMB/NFS access
# create files/dirs with at most those permissions
# (does not affect permissions being explicitly set, only defaults when
file/dir is created)
create mask = 0664
directory mask = 0775
# POSIX conformance - inherit default ACEs of the parent dir
inherit acls = yes
# do not map old DOS modes to UNIX permissions
# in particular no mapping of archive bit to u+x
# and no changes to DOS readonly, use ACLs instead
map archive = no
map readonly = permissions
# shares are writeable by default
writeable = yes
[appdata]
comment = application data
path = /srv/appdata
[backups]
comment = application and system backups
path = /srv/backups
[sysdata]
comment = system application data
path = /srv/sysdata
[scratch]
comment = scratch monkey (temp/test area)
path = /srv/scratch
Not sure if the rest are relevant:
/etc/krb5.conf:
[logging]
default = SYSLOG:DEBUG:AUTH
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
renew_lifetime = 7d
; this is only needed for samba-3.6.9 which doesn't support AES and uses DES
; by default, but since DES is not allowed by default in AD-2008 this
makes the
; host principal unusable; starting with RC4 is most compatible as it is
; allowed by AD-2008 and older; these 3 options can be removed for
; samba-3.6.10+ which will then default to AES
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
/etc/sssd/sssd.conf:
[nss]
debug_level=2
[pam]
[sssd]
config_file_version=2
domains=inside.local
services=nss, pam
[domain/inside.local
ldap_referrals=false
ldap_search_base=DC=Inside,DC=local
ldap_user_object_class=user
cache_credentials=true
enumerate=true
auth_provider=krb5
chpass_provider=krb5
ldap_user_home_directory=unixHomeDirectory
krb5_realm=INSIDE.LOCAL
krb5_server=_srv_, hgpdc01.inside.local, hgvdc01.inside.local
ldap_force_upper_case_realm=true
ldap_uri=_srv_, ldap://hgpdc01.inside.local/, ldap://hgvdc01.inside.local/
krb5_renew_interval=1800
ldap_sasl_mech=GSSAPI
min_id=10000
ldap_schema=rfc2307bis
ldap_group_object_class=group
ldap_account_expire_policy=ad
ldap_user_principal=userPrincipalName
id_provider=ldap
[#EOF#]
Other info:
OS: CentOS release 6.5
Kernel: 2.6.32-431.29.2.el6.x86_64
Thanks in advance
Michael
**********************************************************************************************
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract.
If you have received this email in error please notify sup...@henderson-group.com
John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Nov 27, 2014, 11:50:03 AM11/27/14
to
**ALL** the settings to the shares where they belong.
There is also this: '# make winbind use NSS (and therefore SSSD) to
resolve SIDs for domain users'
There is **NO** connection between winbind and sssd, you need to user
either one or the other in /etc/nsswitch.conf
You have 'realm = inside.local' in smb.conf and 'default_realm =
DOMAIN.LOCAL' in /etc/krb5.conf, now this may just be a sanitizing
error, but if not you need to sort this.
That's enough to be going on with
Rowland
Michael Edwards
Nov 27, 2014, 12:20:02 PM11/27/14
to
Hi Rowland
Thanks for your reply.
I've modified the smb.shares.conf to remove the global tag, and moved
the settings into each share. Tried accessing the machine after a
`service smb reload && service winbind reload && service sssd reload`,
and still getting the same error.
Only sssd is set up in /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
The realm was just a sanitizing error - they're inside.local &
INSIDE.LOCAL respectively, have also tried variations on caps and lower
case, but still no luck.
Many thanks
Michael
On 27/11/14 16:45, Rowland Penny wrote:
> On 27/11/14 16:07, Michael Edwards wrote:
>> snip
Thanks for your reply.
I've modified the smb.shares.conf to remove the global tag, and moved
the settings into each share. Tried accessing the machine after a
`service smb reload && service winbind reload && service sssd reload`,
and still getting the same error.
Only sssd is set up in /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
The realm was just a sanitizing error - they're inside.local &
INSIDE.LOCAL respectively, have also tried variations on caps and lower
case, but still no luck.
Many thanks
Michael
On 27/11/14 16:45, Rowland Penny wrote:
> On 27/11/14 16:07, Michael Edwards wrote:
Rowland Penny
Nov 27, 2014, 12:50:03 PM11/27/14
to
sssd that comes with Centos 6.5, you should be able to use the ad
backend with sssd, see here: http://jhrozek.livejournal.com/3581.html
and here:
http://linuxcostablanca.blogspot.co.uk/2014/05/sssd-autofs-with-ad-backend.html
Rowland
0 new messages