rhel7 client in windows ad domain to access samba share partially working

Latest response

i am tasked with joining my rhel7.1 vm to my company's windows active directory domain so various users can access a samba share with their windows active directory credentials.
i joined the vm to the domain as a client (confirmed with microsoft's active directory users and computer snap-in tool & "NET GROUP "domain computers" /DOMAIN" command at the command prompt) and the samba share is working (confirmed with local credentials on the rhel vm). however, i cannot access the samba share with my ad credentials and i lose connectivity to the domain controller after a short while.
the samba share (accessed through windows explorer via a UNC path) prompts me for login credentials when "#security = ads" is in the global section of /etc/samba/smf.conf. but "security = ads" in the global section of /etc/samba/smf.conf results in a "windows cannot access \10.111.222.33" 0x80070035 error.

thoughts? cli output, log entries, and configs below.

============ cli output ============
[root@rhelvm samba]# realm join companyad.net -U addomainadmin
[addomainadmin passwd]
[not errors]

[root@rhelvm samba]# realm list
COMPANYAD.NET
type: kerberos
realm-name: COMPANYAD.NET
domain-name: companyad.net
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy:
[root@rhelvm samba]#

[root@rhelvm ~]# kinit -V juniorneteng
Using default cache: /tmp/krb5cc_0
Using principal: juniorneteng@COMPANYAD.NET
Password for juniorneteng@COMPANYAD.NET:
Authenticated to Kerberos v5
[root@rhelvm ~]#

[root@rhelvm samba]# net ads info
LDAP server: 10.111.222.33
LDAP server name: WINDOMCTRL.COMPANYAD.NET:
Realm: COMPANYAD.NET:
Bind Path: dc=COMPANY,dc=NET
LDAP port: 389
Server time: Tue, 15 Jan 2019 16:22:44 EST
KDC server: 10.136.38.53
Server time offset: 11

at 3:45pm
[root@rhelvm samba]# smbclient //rhelvm/sambashare/ -U companyad\juniornetworkengineer
session setup failed: NT_STATUS_LOGON_FAILURE

because at 3:28pm /var/log/sssd/sssd_companyad.net.log said
(Tue Jan 15 15:28:14 2019) [sssd[be[companyad.net]]] [sdap_id_conn_data_expire_handler] (0x0080): connection

is about to expire, releasing it

at 2:05pm
[root@rhelvm ~]# smbclient -k //hostname/ProdLogs -U companyad//juniornetworkengineer
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Domain=[COMPANYAD] OS=[Windows 6.1] Server=[Samba 4.2.3]
smb: > ls
. D 0 Fri Jan 4 13:03:37 2019
.. D 0 Tue Jan 15 14:58:02 2019
prodlogs D 0 Tue Jan 8 12:35:52 2019
uatlogs D 0 Fri Jan 11 15:18:09 2019
51809572 blocks of size 1024. 50238136 blocks available
smb: > exit
[root@rhelvm ~]#

because at 2:04pm /var/log/sssd/sssd_companyad.net.log said
(Tue Jan 15 14:02:11 2019) [sssd[be[companyad.net]]] [ad_online_cb] (0x0400): The AD provider is online

============ logs ============
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve

address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [nsupdate_get_addrs_done] (0x0040):

nsupdate_get_addrs_done failed: [5]: [Input/output error]
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [sdap_dyndns_dns_addrs_done] (0x0040): Could not receive

list of current addresses [5]: Input/output error
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS

update failed [5]: Input/output error
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry

failed [5]: Input/output error
(Tue Jan 15 14:02:11 2019) [sssd[be[fisalan.nycnet]]] [ad_online_cb] (0x0400): The AD provider is online
(END)

============ configs ============
- - - - - - - - /etc/samba/smb.conf - - - - - - - -
[root@nsdlinux1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[ProdLogs]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

Global parameters

[global]
workgroup = COMPANYAD
realm = COMPANYAD.NET
server string = rhelvm %v
interfaces = lo eno16780032
security = ADS
kerberos method = secrets and keytab
log file = /var/log/samba/%U.log
max log size = 50
server max protocol = SMB2
client signing = if_required
load printers = No
printcap name = /dev/null
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U
template shell = /bin/bash
idmap config * : range = 100000-200000
idmap config * : backend = tdb
hosts allow = 10.0.0.0/255.0.0.0
cups options = raw

[ProdLogs]
path = /tmp/sambatest/
valid users = +COMPANYAD\juniornetworkengineer juniornetworkengineer kcheng
create mask = 0777
directory mask = 0777
[root@rhelvm samba]#

                • /etc/sssd/sssd.conf - - - - - - - -
                  [sssd]
                  domains = COMPANYAD.NET
                  config_file_version = 2
                  services = nss, pam

[domain/companyad.net]
id_provider = ad
debug_level=6

ad_domain = companyad.net
krb5_realm = COMPANYAD.NET
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_server = windomctrl.company.net
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ldap_schema = ad
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
override_homedir = /home/%d/%u

above line was originally /home/%u@%d

i changed /home/%u@%d to /home/%d/%u

ex: fallback_homedir = /home/%d/%u

access_provider = ad

adding this section as directed by section 7.5.1 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services

[nss]
filter_groups = root
filter_users = root
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

adding this section as directed by section 7.5.2 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

                • /etc/krb5.conf - - - - - - - -
                  includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
default = FILE:/var/log/krb5libs.log

[libdefaults]
default_realm = COMPANYAD.NET
dns_lookup_realm = true
dns_lookup_kdc = true

                • /etc/nsswitch.conf - - - - - - - -
                  passwd: files sss
                  shadow: files sss
                  group: files sss

initgroups: files

hosts: db files nisplus nis dns

hosts: files dns

Example - obey only what nisplus tells us...

services: nisplus [NOTFOUND=return] files

networks: nisplus [NOTFOUND=return] files

protocols: nisplus [NOTFOUND=return] files

rpc: nisplus [NOTFOUND=return] files

ethers: nisplus [NOTFOUND=return] files

netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss

netgroup: files sss

publickey: nisplus

automount: files sss
aliases: files nisplus

============ online references ============
https://access.redhat.com/articles/704743
https://access.redhat.com/solutions/2491551

KC

Responses