Infrastructure Software

I have SSSD working and can login to my Oracle Linux 7.6 server but I cannot access Samba shares. I was following a few "how-tos" I found and tried several different configs. I finally have one that allows me to connect to my home directory but not the other share.

[global]

    #security = user

    security = user

    netbios name = sasprodl2p

    restrict anonymous = 2

    machine password timeout = 0

    passdb backend = tdbsam

    #passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

    encrypt passwords = yes

    realm = WS.WSFGRP.NET

    #

    # Samba versions 3.4.0 and newer have replaced "use kerberos keytab"

    # with "kerberos method".  The directive "kerberos method = secrets and keytab"

    # enables Samba to honor service tickets that are still valid but were

    # created before the Samba server's password was changed.

    #

    kerberos method = secrets and keytab

    #

    # Setting "client use spnego principal" to true instructs SMB client to

    # trust the service principal name returned by the SMB server. Otherwise,

    # client cannot be authenticated via Kerberos by the server in a different

    # domain even though the two domains are mutually trusted.

    #

    #client use spnego principal = true

    #

    # Setting send spnego principal to yes .

    # Otherwise, it will not send this principal between Samba and Windows 2008

    #

    #send spnego principal = Yes

    # If your Samba server only serves to Windows systems, try server signing = mandatory.

    #server signing = auto

    server signing = mandatory

    client ntlmv2 auth = yes

    client use spnego = yes

    template shell = /bin/bash

    winbind use default domain = Yes

    winbind enum users = No

    winbind enum groups = No

    winbind nested groups = Yes

    idmap cache time = 0

    #ignore syssetgroups error = No

    idmap config * : backend  = tdb

    idmap config * : range = 1000 - 200000000

    idmap config * : base_tdb = 0

    enable core files = false

    # Disable Logging to syslog, and only write log to Samba standard log files.

    #syslog = 0

    #  if set  public = No, we should  set parameter valid users .

    #  and when the user or group is in AD , the setting syntaxes is:

    #  valid users = WS\username +WS\group

    writable = yes

[homes]

        comment = Home Directories

        valid users = %S, %D%w%S

        browseable = No

        read only = No

        inherit acls = Yes

[models]

        comment = SAS Models

        path = /opt/models

        valid users = ws\mkreyenh,ws\sminix,ws\jkinning,ws\kclark

        read only = No

If I change the security to ads like I saw some of the other examples use Samba doesn't start.

-- Subject: Unit winbind.service has failed

-- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

--

-- Unit winbind.service has failed.

--

-- The result is failed.

Mar 13 14:09:54 sasprodl2p systemd[1]: Unit winbind.service entered failed state.

Mar 13 14:09:54 sasprodl2p systemd[1]: winbind.service failed.

Mar 13 14:09:54 sasprodl2p polkitd[9069]: Unregistered Authentication Agent for unix-process:16677:416727 (

Mar 13 14:09:56 sasprodl2p polkitd[9069]: Registered Authentication Agent for unix-process:16693:417023 (sy

Mar 13 14:09:56 sasprodl2p systemd[1]: Stopping Samba SMB Daemon...

-- Subject: Unit smb.service has begun shutting down

-- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

--

-- Unit smb.service has begun shutting down.

Mar 13 14:09:57 sasprodl2p systemd[1]: Stopped Samba SMB Daemon.

-- Subject: Unit smb.service has finished shutting down

-- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

--

-- Unit smb.service has finished shutting down.

Mar 13 14:09:57 sasprodl2p systemd[1]: Starting Samba SMB Daemon...

-- Subject: Unit smb.service has begun start-up

-- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

--

-- Unit smb.service has begun starting up.

Mar 13 14:09:57 sasprodl2p smbd[16700]: [2019/03/13 14:09:57.067684,  0] ../source3/auth/auth_util.c:1372(m

Mar 13 14:09:57 sasprodl2p smbd[16700]:   create_local_token failed: NT_STATUS_NO_MEMORY

Mar 13 14:09:57 sasprodl2p smbd[16700]: [2019/03/13 14:09:57.067806,  0] ../source3/smbd/server.c:1993(main

Mar 13 14:09:57 sasprodl2p smbd[16700]:   ERROR: failed to setup guest info.

Mar 13 14:09:57 sasprodl2p systemd[1]: smb.service: main process exited, code=exited, status=255/n/a

Mar 13 14:09:57 sasprodl2p systemd[1]: Failed to start Samba SMB Daemon.

-- Subject: Unit smb.service has failed

-- Defined-By: systemd

-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

--

-- Unit smb.service has failed.

--

-- The result is failed.

If I change back to user it starts and I can access the shares, just my home directory not the models. With SSSD and smb do you need winbind? I have tried both yes and no but still same results. Is there a good guide for setting up Samba with SSSD?