Samba Authentication to AD on Top of SSSD

Latest response

I have a server setup for AD authentication through SSSD, and it's working great. Now, I've been asked to add a CIFS share to the server, and it will need to be accessible to AD users. Here are a couple of lines that concern me from the log:
[2016/06/14 10:17:09.037697, 2] ../source3/librpc/crypto/gse_krb5.c:196(fill_mem_keytab_from_secrets)
../source3/librpc/crypto/gse_krb5.c:196: failed to fetch machine password
[2016/06/14 10:17:09.037710, 1] ../source3/librpc/crypto/gse_krb5.c:619(gse_krb5_get_server_keytab)
../source3/librpc/crypto/gse_krb5.c:619: Error! Unable to set mem keytab - -1765328254
[2016/06/14 10:17:09.037728, 1] ../auth/gensec/gensec_start.c:689(gensec_start_mech)

And some info:

realm list

nghs.com
type: kerberos
realm-name: NGHS.COM
domain-name: nghs.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common
login-formats: NGHS\%U
login-policy: allow-any-login
nghs.com
type: kerberos
realm-name: NGHS.COM
domain-name: nghs.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-permitted-logins

net ads info

LDAP server: 172.20.212.131
LDAP server name: HQAUDC4.nghs.com
Realm: NGHS.COM
Bind Path: dc=NGHS,dc=COM
LDAP port: 389
Server time: Tue, 14 Jun 2016 10:24:20 EDT
KDC server: 172.20.212.131
Server time offset: 0

grep -v '\;' /etc/samba/smb.conf | grep -v '#'

[global]
workgroup = NGHS
server string = Samba Server Version %v

    netbios name = VEODBTST01

    log file = /var/log/samba/log.%m
    max log size = 50
    log level = 3

    passdb backend = tdbsam
    realm = NGHS.COM
    security = ads

    load printers = no
    cups options = raw
    printcap name = /dev/null

[homes]
comment = Home Directories
browseable = no
writable = yes

[nonprdfiles]
comment = Epic Non-Prod Files
path = /epic/nonprdfiles
public = yes
writable = yes
guest ok = no
printable = no

grep -v '#' /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = NGHS.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]

[domain_realm]
.nghs.com = NGHS.COM
nghs.com = NGHS.COM

Any advice?

Thanks,
Jameson

Jameson Pugh's picture

Responses

Did you ever sort this? I'm having the exact same issue and this is the top search result.

Yes. If this is the issue I remember, the solution was to change the hostname of the machine from the short name to the FQDN. Then, I just had to bounce sssd and Samba, and it worked from there.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.