Comments

I have a server setup for AD authentication through SSSD, and it's working great. Now, I've been asked to add a CIFS share to the server, and it will need to be accessible to AD users. Here are a couple of lines that concern me from the log:
[2016/06/14 10:17:09.037697, 2] ../source3/librpc/crypto/gse_krb5.c:196(fill_mem_keytab_from_secrets)
../source3/librpc/crypto/gse_krb5.c:196: failed to fetch machine password
[2016/06/14 10:17:09.037710, 1] ../source3/librpc/crypto/gse_krb5.c:619(gse_krb5_get_server_keytab)
../source3/librpc/crypto/gse_krb5.c:619: Error! Unable to set mem keytab - -1765328254
[2016/06/14 10:17:09.037728, 1] ../auth/gensec/gensec_start.c:689(gensec_start_mech)

And some info:

realm list

nghs.com
type: kerberos
realm-name: NGHS.COM
domain-name: nghs.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common
login-formats: NGHS\%U
login-policy: allow-any-login
nghs.com
type: kerberos
realm-name: NGHS.COM
domain-name: nghs.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-permitted-logins

net ads info

LDAP server: 172.20.212.131
LDAP server name: HQAUDC4.nghs.com
Realm: NGHS.COM
Bind Path: dc=NGHS,dc=COM
LDAP port: 389
Server time: Tue, 14 Jun 2016 10:24:20 EDT
KDC server: 172.20.212.131
Server time offset: 0

grep -v '\;' /etc/samba/smb.conf | grep -v '#'

[global]
workgroup = NGHS
server string = Samba Server Version %v

    netbios name = VEODBTST01

    log file = /var/log/samba/log.%m
    max log size = 50
    log level = 3

    passdb backend = tdbsam
    realm = NGHS.COM
    security = ads

    load printers = no
    cups options = raw
    printcap name = /dev/null

[homes]
comment = Home Directories
browseable = no
writable = yes

[nonprdfiles]
comment = Epic Non-Prod Files
path = /epic/nonprdfiles
public = yes
writable = yes
guest ok = no
printable = no

grep -v '#' /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = NGHS.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]

[domain_realm]
.nghs.com = NGHS.COM
nghs.com = NGHS.COM

Any advice?

Thanks,
Jameson

Started 2016-06-14T14:27:48+00:00 by

Jameson Pugh

Community Member 47 points

Select Your Language

Samba Authentication to AD on Top of SSSD

realm list

net ads info

grep -v '\;' /etc/samba/smb.conf | grep -v '#'

grep -v '#' /etc/krb5.conf

Responses

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

realm list

net ads info

grep -v '\;' /etc/samba/smb.conf | grep -v '#'

grep -v '#' /etc/krb5.conf

Responses

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links