Convert Samba Active Directory to sssd instead of winbind

Question

I've inherited a Samba 4 Active Directory (AD) server. It works fine with winbind, however for security reasons we'd like to change to sssd. The domain has two domain controllers (primary and secondary) both online.

I've created a test client machine, and followed the steps Here to connect to the domain using sssd. The client says it has connected to the domain, and does appear in the domain (When I use Active directory users and computers.)

However, logins and getent do not work.

/var/log/auth.log

Jun 12 14:19:16 clientCompName sshd[9349]: Invalid user adusername from xxx.xxx.xx8.149 port 42304
Jun 12 14:19:20 clientCompName sshd[9349]: pam_unix(sshd:auth): check pass; user unknown
Jun 12 14:19:20 clientCompName sshd[9349]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xx8.149
Jun 12 14:19:21 clientCompName sshd[9349]: Failed password for invalid user adusername from xxx.xxx.xx8.149 port 42304 ssh2

If I do a realm discover, I notice the clients seem to be locked into using winbind.

root@clientCompName:/etc/pam.d# realm discover ADDOMAIN.MYDOMAN.DE
addomain.mydomain.de
type: kerberos
realm-name: ADDOMAIN.MYDOMAN.DE
domain-name: addomain.mydomain.de
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: SMBAD\%U
login-policy: allow-any-login

/etc/pam.d/common-auth

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_sss.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so 
# end of pam-auth-update config

/etc/pam.d/common-session

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required        pam_unix.so 
session optional                        pam_sss.so 
session optional        pam_systemd.so 
# end of pam-auth-update config

/etc/pam.d/common-account

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
account requisite                       pam_deny.so
account required                        pam_permit.so
account sufficient                      pam_localuser.so 
account [default=bad success=ok user_unknown=ignore]    pam_sss.so 
# end of pam-auth-update config

Is there a way to convert the AD to use sssd instead of winbind (or to accept both?)

Answer 1

This worked for me - you can exclude the samba packages if you like?

yum install sssd krb5­workstation samba­common authconfig adcli krb5-workstation samba samba-client sssd-libwbclient policycoreutils-python 
systemctl enable sssd
systemctl start sssd
systemctl enable smb
systemctl restart smb
authconfig --update --enablesssd --enablesssdauth --enablemkhomedir

edit /etc/nsswitch.conf lines to look like…

passwd:     files sss
shadow:     files sss
group:      files sss

Then

kinit adminuser

(use an AD admin account)

klist

(check ticket)

realm join --user=\adminuser@DOMAIN DOMAIN

Edit /etc/sssd/sssd.conf:

use_fully_qualified_names = False
fallback_homedir = /home/%u

Then:

systemctl start sssd

Edit /etc/samba/smb.conf & check lines still there :

security = ads
realm = DOMAIN 
workgroup = ...

Then:

systemctl restart smb

Test:

realm discover DOMAIN
id domainuser