I’ve joined linux systems running Debian and CentOS 7 to Active Directory and set up Samba shares based on that, but I have yet to get this to work on RockyOS 9.
From what I understand, RockyOS 9 is different in that it uses SSSD instead of Winbind.
I have joined my RockOS 9 server to the domain and can query users, groups, and passwords. I can assign AD users and groups to files and folders. Signed in to my Windows client machine, I can get to the server and see the network shared folder in File Manager using the Windows credentials of my logged in user (a.k.a. working normally). When I click on it, I get the error that \SERVER\share is unavailable.
The most relevant log message I can find is “check_account: Failed to find local account with UID [numbers redacted] for SID [more numbers redacted] (dom_user[SHORT_DOMAIN/user.name])”.
That error message isn’t leading me to anything relevant with RockOS 9.
I’ve combed through /etc/nsswitch.conf /etc/krb5.conf /etc/samba/smb.conf and so forth, trying to verify my settings against working configurations on Debian and CentOS 7 servers (I know, they’re different but I’m grabbing at straws at this point).
Are there any hints to get this going? Has it been done with RockyOS 9? I’ve found how-tos for joining RockyOS 9 to AD (done) and file shares with RockyOS 9, but not file shares using AD for authentication.
Well, I don’t know what’s going on exactly. Winbind can’t seem to pair the SID and GID. SSSD without winbind (or not using winbind) doesn’t seem to supply the credentials in the correct format (DOMAIN\user.name). I did it on Debian (not using SSSD) not too long ago. Rocky OS 9 seems to be different from prior versions, like CentOS 6, 7, & 8. I’m re-reading the RHEL documentation on SSSD hoping I can figure something out. Thanks for your input and help.
As I understand it, the username map script maps the domain user to a local account, which means that SSSD is used to identify the user. Should mean that if SSSD can look up the user in Active Directory, Samba is happy.
Ah, I see. That seems to be the main issue I’m facing. Thanks for this. I think it may help greatly.
Strange SSSD is giving such grief…I guess. I may just be inexperienced with it.
I appreciate all the advice.
Well, I still can’t get this to work. I think Samba shares authenticated via AD user accounts/groups wasn’t meant to be with Rocky OS 9.
From the Samba listserv, someone with my exact problem (and version of Samba) downgraded from RockyOS 8.8 to 8.7. There goes my idea of installing RockyOS 8 on the server to get around this problem.
check_account: Failed to convert SID S-1-5-21-… to a UID > (dom_user[DOMAIN\username] > Not bothered about the SID, but what was the RID ? S-1-5-21-847089129-1187572071-3330553849-1107 > Also, does the username end with a ‘$’ ? no > Network problem ? > What else changed ? Not a network problem and nothing else has changed. I just downgraded to Samba 4.16.4 from the Rocky Linux 8.7 repos, but left everything else as Rocky 8.8, and everything is working fine. Thanks, Dale
I’m trying to compare my working Samba shares (on the same network/AD) on CentOS 7 with what I’m trying to do in Rocky OS 9.
“net stat sessions” displayed connected users (or one user in the case of ROS9) so it must just not be resolving the SID/UIDs correctly.
I don’t know what has dramatically changed, but something major seems to.