Samba with SSSD - Share not accessable from Linux but from Windows

Issues related to applications and software problems
Post Reply
flunkyball
Posts: 1
Joined: 2019/09/09 18:25:08

Samba with SSSD - Share not accessable from Linux but from Windows

Post by flunkyball » 2019/09/09 18:46:39

Hi everyone,
Iam running Centos 7 which is successfully join into a Active Directory via SSSD. Furthermore Samba is configured to allow access for domain user to certain shares which is only working from windows but neither linux nor android machines.

What is working:
- login via shell or ssh using the DOMAINUSER
- getent DOMAINUSER, getent DOMAINUSER@DOMAIN.LOCAL, getent DOMAIN\\DOMAINUSER
- Accessing samba shares from windows computers using DOMAIN\\DOMAINUSER
- smbclient -L centos.domain.local -U user@domain.local
- smbclient -L centos.domain.local -U user
- smbclient -L centos.domain.local -U DOMAIN\\user

What is not working:
- sudo mount -t cifs -o username=user,domain=domain.local //centos.domain.local/SHARE /mnt/SHARE
- sudo mount -t cifs -o username=user //centos.domain.local/SHARE /mnt/SHARE
- sudo mount -t cifs -o username=user,domain=DOMAIN //centos.domain.local/SHARE /mnt/SHARE

Trying to mount the share leads to a simple "permission denied"

The samba log shows the following:

Code: Select all

[2019/09/09 20:15:32.592560,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user []\[USER]@[] with the new password interface
[2019/09/09 20:15:32.592635,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: []\[USER]@[]
[2019/09/09 20:15:32.592839,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [USER] -> [USER] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2019/09/09 20:15:32.593006,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user []\[USER] at [Mo, 09 Sep 2019 20:15:32.592943 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:10.0.0.3:40940] mapped to []\[USER]. local host [ipv4:10.10.10.$
[2019/09/09 20:15:32.593104,  3] ../auth/auth_log.c:591(log_no_json)
  log_no_json: JSON auth logs not available unless compiled with jansson
[2019/09/09 20:15:32.593340,  3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
[2019/09/09 20:15:32.729974,  3] ../source3/smbd/server_exit.c:236(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)
My config looks as follows:
/etc/sssd/sssd.conf

Code: Select all

[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam
domains = domain.local

[domain/domain.local]
id_provider = ad
; ad_server = dc1.domain.local, dc2.domain.local
override_homedir = /home/DOMAIN/%u
default_shell = /bin/bash
create_homedir = true
remove_homedir = true

/etc/krb5.conf

Code: Select all

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = yes
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = DOMAIN.LOCAL

[realms]

 DOMAIN.LOCAL = {
   kdc = dc1.domain.local
   kdc = dc2.domain.local
   admin_server = dc1.domain.local
   default_domain = domain.local
 }

[domain_realm]
 .domain.local = DOMAIN.LOCAL
 domain.local = DOMAIN.LOCAL
/etc/samba/smb.conf

Code: Select all

[global]
        bind interfaces only = yes
        interfaces = eno1
        workgroup = INTERN
        realm = intern.waigel.eu
        kerberos method = system keytab
        security = ads
        server string = %h server (Samba, Centos)
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        idmap config * : backend = tdb
        encrypt passwords = yes
        unix charset = UTF-8
        dos charset = CP932
        
[SHARE]
     	path = /mnt/Storage/NAS/NAS
        writable = yes
        browsable = yes
        guest ok = no
        #create mode = 0777
        #directory mode = 0777
        valid users = @"domain users@domain.local"
Thanks for any help !

Post Reply