Hi all, I have a server that I have set up to authenticate successfully using sssd, everything works great, I can SSH into the server as user in the LDAP and get all my details.
However, I'm now trying to set up authentication in Samba with very little luck! I'm really clueless with this stuff so please be gentle.
krb5.conf
Code:
[libdefaults]
default_realm = EXAMPLE.CO.UK
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.CO.UK = {
kdc = kdc.example.co.uk
admin_server = kadmin.example.co.uk
default_domain = example.co.uk
}
[domain_realm]
example.co.uk = EXAMPLE.CO.UK
.example.co.uk = EXAMPLE.CO.UK
/etc/samba/smb.conf
Code:
[global]
workgroup = EXAMPLE.CO.UK
server string = Samba Server Version %v
netbios name = store
guest ok = no
clustering = yes
security = domain
# 192.9.210.20 is the IP of kdc.example.co.uk
password server = 192.9.210.20
encrypt passwords = yes
realm = EXAMPLE.CO.UK
template shell = /bin/bash
log file = /var/log/samba/log.%m
max log size = 50
log level = 3
[profile]
comment = GPFS profile Shared Data
public = yes
path = /gpfs/profile
writeable = yes
ea support = yes
create mask = 0775
security mask = 0777
force security mode = 000
directory security mask = 0770
force directory security mode = 000
valid users = %S
valid users = EXAMPLE.CO.UK\%S
I'm pretty sure it's something wrong in the [global] tag of my samba file but I'm struggling to work out what I need to put in there, possibly the 'security' option.
Right now, I can connect to the server via samba, if I then click the 'profile' share, it prompts me to log in. Inputting the credentials gives me the following error in the logs and I don't understand why:
Code:
[2014/07/14 15:01:55.637873, 3] libsmb/trusts_util.c:166(enumerate_domain_trusts)
enumerate_domain_trusts: can't locate a DC for domain EXAMPLE.CO.UK
[2014/07/14 15:01:55.638111, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [EXAMPLE.CO.UK]\[user.name]@[MYHOSTNAME] with the new password interface
[2014/07/14 15:01:55.638176, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [EXAMPLE.CO.UK]\[user.name]@[HOSTNAME]
[2014/07/14 15:01:55.638336, 3] libsmb/namequery.c:2533(get_dc_list)
get_dc_list: preferred server list: ", 192.9.210.20"
[2014/07/14 15:02:05.640555, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [user.name] -> [user.name] FAILED with error NT_STATUS_NO_LOGON_SERVERS
[2014/07/14 15:02:05.640720, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_NO_LOGON_SERVERS
[2014/07/14 15:02:05.641064, 1] smbd/process.c:457(receive_smb_talloc)
receive_smb_raw_talloc failed for client 192.9.200.90 read error = NT_STATUS_CONNECTION_RESET.
[2014/07/14 15:02:05.641257, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
Why does it say no logon servers when I'm pointing at the Kerberos server? Do I also need to add LDAP information in there too?