Samba shares authenticated by Active Directory

bpb21 · May 22, 2023, 9:10pm

I’ve joined linux systems running Debian and CentOS 7 to Active Directory and set up Samba shares based on that, but I have yet to get this to work on RockyOS 9.

From what I understand, RockyOS 9 is different in that it uses SSSD instead of Winbind.

I have joined my RockOS 9 server to the domain and can query users, groups, and passwords. I can assign AD users and groups to files and folders. Signed in to my Windows client machine, I can get to the server and see the network shared folder in File Manager using the Windows credentials of my logged in user (a.k.a. working normally). When I click on it, I get the error that \SERVER\share is unavailable.

The most relevant log message I can find is “check_account: Failed to find local account with UID [numbers redacted] for SID [more numbers redacted] (dom_user[SHORT_DOMAIN/user.name])”.

That error message isn’t leading me to anything relevant with RockOS 9.

I’ve combed through /etc/nsswitch.conf /etc/krb5.conf /etc/samba/smb.conf and so forth, trying to verify my settings against working configurations on Debian and CentOS 7 servers (I know, they’re different but I’m grabbing at straws at this point).

Are there any hints to get this going? Has it been done with RockyOS 9? I’ve found how-tos for joining RockyOS 9 to AD (done) and file shares with RockyOS 9, but not file shares using AD for authentication.

dali · May 23, 2023, 5:22pm

Is Samba configured to use SSSD as backend?

Example:

idmap config * : backend =  sss

bpb21 · May 23, 2023, 7:22pm

Here’s what I’ve got so far in smb.conf (redacted sensitive info, of course)

[global]
        client max protocol = SMB2
        client min protocol = SMB2
        domain master = No
        kerberos method = secrets and keytab
        local master = No
        log file = /var/log/samba/log.%m
        max log size = 50
        preferred master = No
        restrict anonymous = 2
        security = USER
        server max protocol = SMB2
        server min protocol = SMB2
        template shell = /bin/bash
        idmap config [short_domain] : range = 10000-99999
        idmap config [short_domain] : backend = sss
        idmap config * : range = 100000-19999999
        idmap config * : backend = sss
        access based share enum = Yes


[archive]
        comment = Archive folder
        create mask = 0660
        delete veto files = Yes
        directory mask = 0770
        force create mode = 0660
        force directory mode = 0770
        force group = "[group]"
        hide unreadable = Yes
        path = /[zfs parent share]/[shared folder]
        read only = No
        valid users = @[short_domain]/[group]
        veto files = /.*/

I’m using ZFS but Samba to share; works fine on other setups.

Now I’m thinking something could be amiss with /etc/nsswitch.conf settings?

bpb21 · May 23, 2023, 7:25pm

Well, this is in the log file…

smb_gss_krb5_import_cred failed with [No credentials were supplied, or the credentials were unavailable or inaccessible: Keytab MEMORY:cifs_srv_keytab is nonexistent or empty]

If I use klist I can see where I (the user trying to access the share) have a kerberos ticket on the server.

Default principal: [my user name]

Valid starting     Expires            Service principal
05/22/23 11:58:12  05/22/23 21:58:12  [krb]/[FQDN]@[FQDN]
        renew until 05/29/23 11:58:05```

dali · May 24, 2023, 6:56am

Shouldn’t security be set to ads or domain if you want to use AD for authentication?

bpb21 · May 24, 2023, 11:04am

Not sure, but this is giving me things to try so thank you! Current errors upon running testparm:

ERROR: The 'security=ADS' mode requires 'realm' parameter to be set!

 ERROR: Do not use the 'sss' backend as the default idmap backend!

Server role: ROLE_DOMAIN_MEMBER

So I shouldn’t use sss as the default idmap backend?

bpb21 · May 24, 2023, 11:05am

Setting security to domain only gives the idmap error:

ERROR: Do not use the 'sss' backend as the default idmap backend!```

bpb21 · May 24, 2023, 12:12pm

This guide looked the most promising, but when I join with realm it seems to break the wbinfo function (and I suppose winbind). So, are the two mutually exclusive?

dali · May 24, 2023, 1:21pm

It’s been a while since I configured a Samba/SSSD/AD connection, but you need to add the realm parameter to smb.conf with the name of the domain (e.g yourdomain.tld).

I think that you cannot have SSSD as the default backend (used a bad example in my previous answer) since it is read only. Just remove this line from smb.conf:

idmap config * : backend = sss

bpb21 · May 25, 2023, 6:16pm

Well, I don’t know what’s going on exactly. Winbind can’t seem to pair the SID and GID. SSSD without winbind (or not using winbind) doesn’t seem to supply the credentials in the correct format (DOMAIN\user.name). I did it on Debian (not using SSSD) not too long ago. Rocky OS 9 seems to be different from prior versions, like CentOS 6, 7, & 8. I’m re-reading the RHEL documentation on SSSD hoping I can figure something out. Thanks for your input and help.

dali · May 26, 2023, 7:31pm

We use a username map script to strip domain info, example:

#!/bin/bash
  
ACCOUNTNAME="$1"

DOMAINNAME="YOURDOMAIN"

case "${ACCOUNTNAME}" in

    ${DOMAINNAME}\\root)
        # skip
        ;;

    ${DOMAINNAME}\\*)
        echo "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//'
        ;;

esac

exit 0

Added it to our config after CVE-2020-25717, based on https://bugzilla.samba.org/show_bug.cgi?id=14901#c0 (ignore the “local nt token” stuff). Left it in after the vulnerability was patched.

As I understand it, the username map script maps the domain user to a local account, which means that SSSD is used to identify the user. Should mean that if SSSD can look up the user in Active Directory, Samba is happy.

bpb21 · May 26, 2023, 9:42pm

Ah, I see. That seems to be the main issue I’m facing. Thanks for this. I think it may help greatly.
Strange SSSD is giving such grief…I guess. I may just be inexperienced with it.
I appreciate all the advice.

bpb21 · May 31, 2023, 9:16pm

Well, I still can’t get this to work. I think Samba shares authenticated via AD user accounts/groups wasn’t meant to be with Rocky OS 9.
From the Samba listserv, someone with my exact problem (and version of Samba) downgraded from RockyOS 8.8 to 8.7. There goes my idea of installing RockyOS 8 on the server to get around this problem.

check_account: Failed to convert SID S-1-5-21-… to a UID > (dom_user[DOMAIN\username] > Not bothered about the SID, but what was the RID ? S-1-5-21-847089129-1187572071-3330553849-1107 > Also, does the username end with a ‘$’ ? no > Network problem ? > What else changed ? Not a network problem and nothing else has changed. I just downgraded to Samba 4.16.4 from the Rocky Linux 8.7 repos, but left everything else as Rocky 8.8, and everything is working fine. Thanks, Dale

dali · June 1, 2023, 7:30pm

Ok, it could be an issue with Samba and RHEL/Rocky 8.8. I installed a Samba server on RHEL 8.6 EUS with SSSD this week and it works.