Share folder with realmd / sssd and AD integration

Question

I've setup a CentOS 7 machine, and joined it to our AD via realmd through:

yum install realmd samba-common oddjob oddjob-mkhomedir sssd
realm join --user=myuser@mydomain.local mydomain.local

After that, realm list returns the expected output

[root@webdev samba]# realm list
  mydomain.local
  type: kerberos
  realm-name: MYDOMAIN.LOCAL
  domain-name: mydomain.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@mydomain.local
  login-policy: allow-realm-logins

and I can login via SSH using my AD credentials ( so I get myuser@mydomain.local@hostname).

I now need to allow Windows users to access a folder on the machine, however Samba seems to be unwilling to cooperate - all combinations or username and password come back as wrong. I do not know how to debug this, or if I am missing something out.

The smb.conf file is basically:

 [root@webdev samba]# testparm
 Load smb config files from /etc/samba/smb.conf
 rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
 Processing section "[vHosts]"
 Loaded services file OK.
 Server role: ROLE_DOMAIN_MEMBER
 Press enter to see a dump of your service definitions

 [global]
    workgroup = MYDOMAINLOCAL
    realm = MYDOMAIN.LOCAL
    server string = Samba Server Version %v
    security = DOMAIN
    log file = /var/log/samba/log.%m
    max log size = 50
    load printers = No
    idmap config * : backend = tdb
    hosts allow = 127., 10.0.
    cups options = raw

  [vHosts]
    comment = Virtual Host repository
    path = /var/www/vhosts
    valid users = MYDOMAINLOCAL\%S
    read only = No

I should note that I've changed the directory ( /var/www/vhosts ) system permissions to 777.

Any help will be greatly appreciated. Thanks in advance!

Updates:

DC is Windows 2003 R2, clients are Windows 7
Have tried setting security to both ads and domain, with similar results (no cigar)
Error message being received at the Windows credentials dialog is "Access is denied"
Tried both with firewall disabled and enabled, no difference
SELinux is disabled

Searching for krb* packages:

[root@webdev logs]# rpm -qa | grep krb
sssd-krb5-common-1.11.2-68.el7_0.5.x86_64
sssd-krb5-1.11.2-68.el7_0.5.x86_64
samba-winbind-krb5-locator-4.1.1-35.el7_0.x86_64
krb5-libs-1.11.3-49.el7.x86_64

and the command output getent passwd MYDOMAINLOCAL\myuser and getent passwd mydomain.local\myuser return blank ( no output ).

Hello hexblot, can you please give us more information about your Windows Server version and Windows client version ? On your windows client you see your vHosts folder but can't access to it due to wrong credential error, right ? -Quick thought- iptables is configured ? Have you tried : security = ADS ? — NooJ, Jul 21 '14 at 13:22
@NooJ added the info in the post above. Let me know if you need more. — Nick Andriopoulos, Jul 21 '14 at 13:31

Nick Andriopoulos · Accepted Answer · 2014-07-21T16:33:03.857

Answering my own question :

the only thing wrong was the valid users section in smb.conf - it appears that %S didn't work at all.

Thus, for a security group named "WebDevGrp" in Windows, on CentOS it will be shown as webdevgrp@mydomain.local ( you can test via groups myuser@mydomain.local ), and you can then make the Samba share like so :

[vHosts]
  comment = Virtual Host repository
  path = /var/www/vhosts
  public = no
  writable = yes
  guest ok = no
  valid users = @"webdevgrp@mydomain.local"

and you don't even get prompted for a password - it's all seamless!

PS. when debugging Samba, add log level = 3 to your config, makes a heck of a difference!.

PPS. I've written a guide to the whole process - going from vanilla freshly installed CentOS 7 to having Samba shares with AD authentication / authorization which you can find at my blog here

Thanks, and also for the write-up in your blog: helped point the way for Samba (had sssd working for a while). Additionally, I still had auth problems and had to add the line `kerberos method = secrets and keytab` into the [global] section (based on further reading). (Samba 4.7.6 on Ubuntu). This is the only change to the config you've written up. — Chris J, Feb 25 '19 at 11:08

NooJ · Answer 2 · 2014-07-21T13:55:11.627

Recently I had to configure a Windows/Samba test environment on Fedora and Windows 2012/Windows 7 and had some similar issues. After changing this registry keys on Windows servers/clients everything worked nice :

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\DomainCompatibilityMode=1

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\DNSNameResolutionRequired=0

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecureNegociate=0

But I was using winbind/kinit/etc. to perform AD integration. Maybe this could help you.

EDIT1 :

Have you installed kerberos package like : krb5-workstation krb5 -libs krb5 -auth -dialog on your CentOS ?
Does "getent passwd" return you windows domain users ?

See amended answer regarding your questions. I'm trying to find someone who has access to tamper with the registry on our Windows servers (I only have access on the Linux side of things). Do note this is a CLI only installation of CentOS. — Nick Andriopoulos, Jul 21 '14 at 14:00

Share folder with realmd / sssd and AD integration

2 Answers2