I've inherited a Samba 4 Active Directory
(AD) server. It works fine with winbind
, however for security reasons we'd like to change to sssd
. The domain has two domain controllers (primary and secondary) both online.
I've created a test client machine, and followed the steps Here to connect to the domain using sssd
. The client says it has connected to the domain, and does appear in the domain (When I use Active directory users and computers
.)
However, logins and getent
do not work.
/var/log/auth.log
Jun 12 14:19:16 clientCompName sshd[9349]: Invalid user adusername from xxx.xxx.xx8.149 port 42304
Jun 12 14:19:20 clientCompName sshd[9349]: pam_unix(sshd:auth): check pass; user unknown
Jun 12 14:19:20 clientCompName sshd[9349]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xx8.149
Jun 12 14:19:21 clientCompName sshd[9349]: Failed password for invalid user adusername from xxx.xxx.xx8.149 port 42304 ssh2
If I do a realm discover
, I notice the clients seem to be locked into using winbind
.
root@clientCompName:/etc/pam.d# realm discover ADDOMAIN.MYDOMAN.DE
addomain.mydomain.de
type: kerberos
realm-name: ADDOMAIN.MYDOMAN.DE
domain-name: addomain.mydomain.de
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: SMBAD\%U
login-policy: allow-any-login
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
# end of pam-auth-update config
/etc/pam.d/common-session
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_systemd.so
# end of pam-auth-update config
/etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
Is there a way to convert the AD to use sssd
instead of winbind
(or to accept both?)
Best Answer
This worked for me - you can exclude the samba packages if you like?
edit
/etc/nsswitch.conf
lines to look like…Then
(use an AD admin account)
(check ticket)
Edit
/etc/sssd/sssd.conf
:Then:
Edit
/etc/samba/smb.conf
& check lines still there :Then:
Test: