Samba access issue with sssd configuration

Rocky Linux Help & Support
1

Our environment uses samba shares with sssd. Configuration provided below. When users are connecting the shares from windows, its prompting for credentials. Access denied screenshot provided. Is there anything that i missed out configuring. Kindly help.

Below is the samba configuation.

[global]
realm = EXAMPLE.LOCAL
workgroup = EXAMPLE
security = ads
kerberos method = secrets and keytab
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config EXAMPLE : backend = sss
idmap config EXAMPLE : range = 200000-2147483647
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
machine password timeout = 0

SSSD.config file.

[domain/EXAMPLE.LOCAL]
default_shell = /bin/bash
krb5_store_password_if_offline = False
cache_credentials = False
krb5_realm = EXAMPLE.LOCAL
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /home/%u
ad_domain = example.local
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
ad_update_samba_machine_account_password = True
ad_gpo_ignore_unreadable = True

Below is the smb file;

[testshare]
comment = testshare
path = /testshare/test
read only = No
valid users = @“Domain Admins@domain”
public = yes
browseable = yes
writeable = yes

Joined the server using realm command.

realm join -U --client-software=sssd --membership-software=samba

Enabled and started Samba services.

systemctl enable smb ; systemctl enable winbind ; systemctl restart smb ; systemctl restart winbind

image
image867×688 62.1 KB

2

The domain users are there in the allowed groups?

systemctl status sssd ???

or there should be log file for sssd, maybe that shows why the permission not granted.

3

maybe AllowGroups in the sshd_config not correct.

4

If you are going to use Samba for shares, then, in my opinion, it isn’t a good idea to use sssd. sssd isn’t provided by Samba and hence, it isn’t supported by Samba, you will get better results using the ‘rid’ idmap backend and joining with ‘net ads join -U administrator’, you will also only have one conf file to configure and maintain.
There is also the possible problem that there is ‘valid users’ and ‘public = yes’ in the share, you cannot use ‘valid users’ on a ‘public’ share, not that the share is actually a public share, ‘map to guest = bad user’ isn’t set in ‘[global]’.

5

Have you tried to use smbclient to actually test that your configuration works? If it works and Windows is not working, perhaps turning on verbose logging for samba will help drill down to the issue.

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.