rhel7 client in windows ad domain to access samba share partially working
i am tasked with joining my rhel7.1 vm to my company's windows active directory domain so various users can access a samba share with their windows active directory credentials.
i joined the vm to the domain as a client (confirmed with microsoft's active directory users and computer snap-in tool & "NET GROUP "domain computers" /DOMAIN" command at the command prompt) and the samba share is working (confirmed with local credentials on the rhel vm). however, i cannot access the samba share with my ad credentials and i lose connectivity to the domain controller after a short while.
the samba share (accessed through windows explorer via a UNC path) prompts me for login credentials when "#security = ads" is in the global section of /etc/samba/smf.conf. but "security = ads" in the global section of /etc/samba/smf.conf results in a "windows cannot access \10.111.222.33" 0x80070035 error.
thoughts? cli output, log entries, and configs below.
============ cli output ============
[root@rhelvm samba]# realm join companyad.net -U addomainadmin
[addomainadmin passwd]
[not errors]
[root@rhelvm samba]# realm list
COMPANYAD.NET
type: kerberos
realm-name: COMPANYAD.NET
domain-name: companyad.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy:
[root@rhelvm samba]#
[root@rhelvm ~]# kinit -V juniorneteng
Using default cache: /tmp/krb5cc_0
Using principal: juniorneteng@COMPANYAD.NET
Password for juniorneteng@COMPANYAD.NET:
Authenticated to Kerberos v5
[root@rhelvm ~]#
[root@rhelvm samba]# net ads info
LDAP server: 10.111.222.33
LDAP server name: WINDOMCTRL.COMPANYAD.NET:
Realm: COMPANYAD.NET:
Bind Path: dc=COMPANY,dc=NET
LDAP port: 389
Server time: Tue, 15 Jan 2019 16:22:44 EST
KDC server: 10.136.38.53
Server time offset: 11
at 3:45pm
[root@rhelvm samba]# smbclient //rhelvm/sambashare/ -U companyad\juniornetworkengineer
session setup failed: NT_STATUS_LOGON_FAILURE
because at 3:28pm /var/log/sssd/sssd_companyad.net.log said
(Tue Jan 15 15:28:14 2019) [sssd[be[companyad.net]]] [sdap_id_conn_data_expire_handler] (0x0080): connection
is about to expire, releasing it
at 2:05pm
[root@rhelvm ~]# smbclient -k //hostname
/ProdLogs -U companyad//juniornetworkengineer
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Domain=[COMPANYAD] OS=[Windows 6.1] Server=[Samba 4.2.3]
smb: > ls
. D 0 Fri Jan 4 13:03:37 2019
.. D 0 Tue Jan 15 14:58:02 2019
prodlogs D 0 Tue Jan 8 12:35:52 2019
uatlogs D 0 Fri Jan 11 15:18:09 2019
51809572 blocks of size 1024. 50238136 blocks available
smb: > exit
[root@rhelvm ~]#
because at 2:04pm /var/log/sssd/sssd_companyad.net.log said
(Tue Jan 15 14:02:11 2019) [sssd[be[companyad.net]]] [ad_online_cb] (0x0400): The AD provider is online
============ logs ============
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve
address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [nsupdate_get_addrs_done] (0x0040):
nsupdate_get_addrs_done failed: [5]: [Input/output error]
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [sdap_dyndns_dns_addrs_done] (0x0040): Could not receive
list of current addresses [5]: Input/output error
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS
update failed [5]: Input/output error
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry
failed [5]: Input/output error
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [ad_online_cb] (0x0400): The AD provider is online
(END)
============ configs ============
- - - - - - - - /etc/samba/smb.conf - - - - - - - -
[root@nsdlinux1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[ProdLogs]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
Global parameters
[global]
workgroup = COMPANYAD
realm = COMPANYAD.NET
server string = rhelvm %v
interfaces = lo eno16780032
security = ADS
kerberos method = secrets and keytab
log file = /var/log/samba/%U.log
max log size = 50
server max protocol = SMB2
client signing = if_required
load printers = No
printcap name = /dev/null
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /bin/bash
idmap config * : range = 100000-200000
idmap config * : backend = tdb
hosts allow = 10.0.0.0/255.0.0.0
cups options = raw
[ProdLogs]
path = /tmp/sambatest/
valid users = +COMPANYAD\juniornetworkengineer juniornetworkengineer kcheng
create mask = 0777
directory mask = 0777
[root@rhelvm samba]#
-
-
-
-
-
-
-
- /etc/sssd/sssd.conf - - - - - - - -
[sssd]
domains = COMPANYAD.NET
config_file_version = 2
services = nss, pam
- /etc/sssd/sssd.conf - - - - - - - -
-
-
-
-
-
-
[domain/companyad.net]
id_provider = ad
debug_level=6
ad_domain = companyad.net
krb5_realm = COMPANYAD.NET
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_server = windomctrl.company.net
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
override_homedir = /home/%d/%u
above line was originally /home/%u@%d
i changed /home/%u@%d to /home/%d/%u
ex: fallback_homedir = /home/%d/%u
access_provider = ad
adding this section as directed by section 7.5.1 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
[nss]
filter_groups = root
filter_users = root
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
adding this section as directed by section 7.5.2 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
-
-
-
-
-
-
-
- /etc/krb5.conf - - - - - - - -
includedir /var/lib/sss/pubconf/krb5.include.d/
- /etc/krb5.conf - - - - - - - -
-
-
-
-
-
-
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = COMPANYAD.NET
dns_lookup_realm = true
dns_lookup_kdc = true
-
-
-
-
-
-
-
- /etc/nsswitch.conf - - - - - - - -
passwd: files sss
shadow: files sss
group: files sss
- /etc/nsswitch.conf - - - - - - - -
-
-
-
-
-
-
initgroups: files
hosts: db files nisplus nis dns
hosts: files dns
Example - obey only what nisplus tells us...
services: nisplus [NOTFOUND=return] files
networks: nisplus [NOTFOUND=return] files
protocols: nisplus [NOTFOUND=return] files
rpc: nisplus [NOTFOUND=return] files
ethers: nisplus [NOTFOUND=return] files
netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
============ online references ============
https://access.redhat.com/articles/704743
https://access.redhat.com/solutions/2491551