I’ve joined linux systems running Debian and CentOS 7 to Active Directory and set up Samba shares based on that, but I have yet to get this to work on RockyOS 9.
From what I understand, RockyOS 9 is different in that it uses SSSD instead of Winbind.
I have joined my RockOS 9 server to the domain and can query users, groups, and passwords. I can assign AD users and groups to files and folders. Signed in to my Windows client machine, I can get to the server and see the network shared folder in File Manager using the Windows credentials of my logged in user (a.k.a. working normally). When I click on it, I get the error that \SERVER\share is unavailable.
The most relevant log message I can find is “check_account: Failed to find local account with UID [numbers redacted] for SID [more numbers redacted] (dom_user[SHORT_DOMAIN/user.name])”.
That error message isn’t leading me to anything relevant with RockOS 9.
I’ve combed through /etc/nsswitch.conf /etc/krb5.conf /etc/samba/smb.conf and so forth, trying to verify my settings against working configurations on Debian and CentOS 7 servers (I know, they’re different but I’m grabbing at straws at this point).
Are there any hints to get this going? Has it been done with RockyOS 9? I’ve found how-tos for joining RockyOS 9 to AD (done) and file shares with RockyOS 9, but not file shares using AD for authentication.
smb_gss_krb5_import_cred failed with [No credentials were supplied, or the credentials were unavailable or inaccessible: Keytab MEMORY:cifs_srv_keytab is nonexistent or empty]
If I use klist I can see where I (the user trying to access the share) have a kerberos ticket on the server.
Default principal: [my user name]
Valid starting Expires Service principal
05/22/23 11:58:12 05/22/23 21:58:12 [krb]/[FQDN]@[FQDN]
renew until 05/29/23 11:58:05```
This guide looked the most promising, but when I join with realm it seems to break the wbinfo function (and I suppose winbind). So, are the two mutually exclusive?
It’s been a while since I configured a Samba/SSSD/AD connection, but you need to add the realm parameter to smb.conf with the name of the domain (e.g yourdomain.tld).
I think that you cannot have SSSD as the default backend (used a bad example in my previous answer) since it is read only. Just remove this line from smb.conf:
Well, I don’t know what’s going on exactly. Winbind can’t seem to pair the SID and GID. SSSD without winbind (or not using winbind) doesn’t seem to supply the credentials in the correct format (DOMAIN\user.name). I did it on Debian (not using SSSD) not too long ago. Rocky OS 9 seems to be different from prior versions, like CentOS 6, 7, & 8. I’m re-reading the RHEL documentation on SSSD hoping I can figure something out. Thanks for your input and help.
As I understand it, the username map script maps the domain user to a local account, which means that SSSD is used to identify the user. Should mean that if SSSD can look up the user in Active Directory, Samba is happy.
Ah, I see. That seems to be the main issue I’m facing. Thanks for this. I think it may help greatly.
Strange SSSD is giving such grief…I guess. I may just be inexperienced with it.
I appreciate all the advice.
Well, I still can’t get this to work. I think Samba shares authenticated via AD user accounts/groups wasn’t meant to be with Rocky OS 9.
From the Samba listserv, someone with my exact problem (and version of Samba) downgraded from RockyOS 8.8 to 8.7. There goes my idea of installing RockyOS 8 on the server to get around this problem.
check_account: Failed to convert SID S-1-5-21-… to a UID > (dom_user[DOMAIN\username] > Not bothered about the SID, but what was the RID ? S-1-5-21-847089129-1187572071-3330553849-1107 > Also, does the username end with a ‘$’ ? no > Network problem ? > What else changed ? Not a network problem and nothing else has changed. I just downgraded to Samba 4.16.4 from the Rocky Linux 8.7 repos, but left everything else as Rocky 8.8, and everything is working fine. Thanks, Dale