Samba,MS Active Direcory, sss

Hello,

I have followed this article (How to configure a Samba server with SSSD in RHEL with Winbind handling AD Join - Red Hat Customer Portal)] to configure and run samba on Rocky 9.4 authenticating with sssd, and provide samba shares with AD.
Please let me describe our environment in more details :
Rocky 9.4 server, stores users home directories, and uid,gid are stored on ldap server, along with users details. Authentication on the server is done through sssd and ldap. Server populates through nfs server the user’s home directories to several pcs ( pcs acting as nfs clients, running also Rocky 9.4). Pcs are also authenticated through sssd and ldap server. On the other hand users logging on windows machines should have mapped their linux home directory to a network drive. This should be done with samba and winbind service.
Following the steps in the article mentioned above, we failed to successfully setup samba. In log.smd log file we got the error “check_account: Failed to convert SID S-1-5-21-3244330370-710286947-636655351-13965 to a UID (dom_user[UCY\userXXX])” and also in log.wb- we have the errors “…/…/lib/krb5_wrap/krb5_samba.c:3961(smb_krb5_init_context_common)
smb_krb5_init_context_common: Krb5 context initialization failed (Included profile directory could not be read)”

Has anyone succeeded to setup this working scenario? Could you please provide a working sssd.conf and smb.conf file as a guidance?

Thank you in advance

Maria

There isn’t, in my opinion, a working sssd.conf and smb.conf.
sssd and winbind do the same thing (not surprising, they were both initially written by the same person, winbind being first). If you have ‘security = ADS’ in smb.conf, then you must run winbind and if you are running winbind, there is no point in running sssd, in fact, it will cause nothing but problems. Can I also ask, are you using the basic, standard /etc/krb5.conf ?

Yes, I keep the file /etc/krb5.conf as it is, no changes made. I noticed that there are sections for realm and domain_realm. Should I add the domain_realm?

I suggest that you use this format for /etc/krb5.conf:

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_kdc = false
  dns_lookup_realm = true

[realms]
	EXAMPLE.COM = {
		default_domain = example.com
	}

[domain_realm]
	SHORT_HOSTNAME_IN_UPPERCASE = EXAMPLE.COM

Obviously use your dns domain etc in the case shown.

You will also need to set up the smb.conf

One thing I would suggest to anyone setting up Samba on Rocky Linux, do not use the redhat tools or documentation, use and follow the Samba documentation.