Results 1 to 9 of 9

Thread: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

  1. #1
    Join Date
    Feb 2019
    Beans
    6

    20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    Hello everyone,

    I have 3 Ubuntu 20 servers in my company, all of them were using Samba 4.11 or superior with SSSD authenticating against my AD (Windows Server 2019 AD), with shares working fine. My smb.conf is configured for security = ads. I had ACL permissions in the shares using AD Groups.

    I know I know, Samba 4.11+ was not supposed to work with SSSD. But I had it working fine for months.

    2 weeks ago, at the same day, all shares stopped working for a reason I do not know. I had to reconfigure Server #1, which was my priority, to use Winbind (ugh) and let company users carry on with their lives. Now I have tested a bunch of different configs for Servers #2 and #3, several combinations of smb.conf and sssd.conf, but haven't been able to get them back and running again. I'm seeing 2 strange errors, on sssd status:


    Code:
    nov 24 12:19:31 MYSERVER.mydomain.local systemd[1]: Started System Security Services Daemon.
    nov 24 12:19:40 MYSERVER.mydomain.local sssd[121856]: ; TSIG error with server: tsig verify failure
    nov 24 12:19:40 MYSERVER.mydomain.local sssd[121856]: update failed: REFUSED
    nov 24 12:19:40 MYSERVER.mydomain.local sssd[121860]: ; TSIG error with server: tsig verify failure
    nov 24 12:19:40 MYSERVER.mydomain.local sssd[121860]: update failed: REFUSED
    Which I don't think it's relevant, since SSSD is working fine (I can log into via SSH, and see users through the "id <user>" command).

    And in /var/log/samba/ I have the classic winbind not running error:


    [2021/11/24 12:03:06.253828, 0] ../../source3/auth/auth_generic.c:125(auth3_generate_session_info_pac )
    auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS

    Which I believe is the main problem.

    How can I force Samba to use SSSD? I don't understand why it simply stopped working out of nowhere, and the stranger thing is that all of the 3 servers happened at the same day. Could it be a Windows update or something?



    I can post my .conf files but as I said, I have tried a lot of different combinations and none of them worked, and I believe it's simply because for some reason my Samba is trying to use Winbind, which he was not supposed to do since it was using SSSD from day 1 of installation.

    Thanks for any help!!!
    Last edited by slickymaster; 5 Days Ago at 04:44 PM. Reason: code tags

  2. #2
    Join Date
    Nov 2012
    Location
    Halloween Town
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    Thread moved to Server Platforms.

  3. #3
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,562
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    You are only looking at (or reporting) 1/2 of the puzzle. Make sure you look at the domain controller's event logs for correlating messages.

    I have had Windows updates break connections with Linux. One way to test this is to check the Windows Update history to see if an update was applied just prior to connectivity breaking. If you find a correlating patch, try removing the patch to see if connectivity is restored. Then research that patch.

    LHammonds

  4. #4
    Join Date
    Feb 2019
    Beans
    6

    Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    Hey Hammonds, first of all thanks for your help.

    I did check the logs, couldn't find anything related to authentication. I also have checked my AD Administrative Center to check if Linux servers were okay, and everything seems fine. Like I said, SSSD is working, I can log into Linux with AD users, I can map AD groups on ACLs, "id <user>" command gets correct info about users and everything.

    Somehow only the Samba shares stopped working with SSSD, which is weird. Here's my original smb.conf from when it stopped working:

    Code:
    [global]
            netbios name = MYSERVER
            server string = 'MYSERVER'
            dns forwarder = 192.168.0.201
    
    
            security = ads
            kerberos method = secrets and keytab
            dedicated keytab file = /etc/krb5.keytab
    
    
            realm = mydomain.local
            workgroup = MYDOMAIN
    
    
            log file = /var/log/samba/log.%m
            max log size = 1000
            logging = file
    
    
            panic action = /usr/share/samba/panic-action %d
            server role = standalone server
    
    
            obey pam restrictions = yes
            unix password sync = yes
    
    
            passwd program = /usr/bin/passwd %u
    
    
            pam password change = yes
            map to guest = bad user
    
    
            template homedir = /home/%U
            template shell = /bin/bash
    
    
            idmap config * :              backend = tdb
            idmap config * :              range   = 3000-7999
    
    
            idmap config MYDOMAIN : backend = ad
            idmap config MYDOMAIN : schema_mode = rfc2307
            idmap config MYDOMAIN : range = 10000-9999999
    
    
            vfs objects = acl_xattr
            map acl inherit = Yes
            store dos attributes = Yes
    
    
            load printers = no
            printing = bsd
            printcap name = /dev/null
            disable spoolss = yes
    
    [homes]
            comment = User home folders
            browseable = no
            read only = no
            create mask = 4755
            directory mask = 4755
            valid users = %S
    
    
    [ExampleShare]
            path = /var/share
            available = yes
            browseable = no
            guest ok = no
            public = no
            read only = yes
    
    
            valid users = @"domain admins"
    I have tried:

    - Changing security to user
    - Changing backend to rid
    - Removing MYDOMAIN backend at all
    - Removind "valid users" setting from the shares
    - Removing workgroup setting
    - All of the above combined, and also changes in sssd.conf

    Everything always result into the winbind not running log message.

    I had these shares working from domain joined stations and also from WORKGROUP stations (users connecting from their home PCs via VPN).

    I can post more logs and .conf files if necessary.

    Thanks again!

  5. #5
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,562
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    I will defer to others that actually run this kind of setup (I don't) but I recall needing to make sure the authentication method needed to be tied into PAM and if an update every reset the PAM configuration, you would need to stitch it back up. It does not "normally" overwrite config files but scripts or people might say to not keep the original config and just use the newer config...which is a non-configured default.

    If you have versioned backups, take a look and compare all your current configs to what they were a month ago (or some point in time before they stopped working)

    LHammonds

  6. #6
    Join Date
    Apr 2020
    Beans
    4

    Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    If you must use sssd (ugh) with Samba, then you must also install and run winbind, you must also use idmap-sss.

  7. #7
    Join Date
    Feb 2019
    Beans
    6

    Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    Good morning everyone,

    If you have versioned backups, take a look and compare all your current configs to what they were a month ago (or some point in time before they stopped working)
    I do, I have it for smb.conf, nsswitch.conf, resolv.conf, timesyncd.conf, but I've never changed any pam files, could you tell me which PAM config you mean? In every setup I run pam-auth-update and leave evrything checked (SSS authentication for example, and homedir creation).

    If you must use sssd (ugh) with Samba, then you must also install and run winbind, you must also use idmap-sss.
    lmao, I don't know why people hate sssd so much, I use it for a while now and I find it more simple to setup, easy to maintain and also more secure. Winbind allowing NTLM is a big down for me. Anyway, I tried to install idmap-sss package but couldn't find it. Also, as far as I know I can't run winbind with sssd since they share some libraries, isn't that right?

    I appreciate all the help so far. Will look for aditional configs I may be missing, like the PAM ones.

  8. #8
    Join Date
    Apr 2020
    Beans
    4

    Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    Quote Originally Posted by pdiego.silva View Post

    lmao, I don't know why people hate sssd so much, I use it for a while now and I find it more simple to setup, easy to maintain and also more secure. Winbind allowing NTLM is a big down for me. Anyway, I tried to install idmap-sss package but couldn't find it. Also, as far as I know I can't run winbind with sssd since they share some libraries, isn't that right?
    I don't hate sssd, I just do not see the point to using it with Samba. From Samba 4.8.0 you must run winbind, so you have to configure sssd and Samba, you also have to use idmap-sss (part of sssd). It is much easier to just use Samba, just smb.conf to configure, plus you get all the things that sssd doesn't do, shares, ACL's etc.

  9. #9
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,562
    Distro
    Ubuntu 20.04 Focal Fossa

    Lightbulb Re: 20.04.3 + Samba 4.13 + SSSD - Stop working after it was fine

    Quote Originally Posted by pdiego.silva View Post
    could you tell me which PAM config you mean?
    man pam.conf

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •