Integrating Samba File Server into AD using SSSD

can you please assist me with this problem?

Aim: Setting up a Samba File server on CentOS 7 and joining it to an AD Domain using SSSD. each AD user has an autogenerated shared home directory. Ideally, file shares should be accessible using the user name only (no domain pre/suffix). Clients should be MacOS, CentOS, Windows Servers/10.

This works: - I can log into the file server with just a user name and password. Home drives are created and assigned the correct user and group security. - Windows Server opens the file share and connects OK. No password required. - MacOS can connect to the file share but as server/username@domain (login is still username and the share accessed is actually also username.)

This does not work: - CentOS client cannot connect to the network share. The user name is not detected properly. - MacOS cannot use server/username. It throws a login denied.

These are the setup steps (hopefully not too ommitted): Clean CentOS 7 minimal Setup

DOMAIN=ads.example.com  # Active Directory Domain
yum -y install sssd realmd ntp adcli oddjob oddjob-mkhomedir samba-common-tools
realm join ${DOMAIN} -U Administrator --automatic-id-mapping=no

vi /etc/sssd/sssd.conf

[sssd]
domains = ads.example.com
config_file_version = 2
services = nss, pam

# Manually added below
default_domain_suffix = ads.example.com
use_fully_qualified_names=True

[domain/ads.example.com]
ad_domain = ads.example.com
krb5_realm = ADS.EXAMPLE.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /storage0/data/%u
access_provider = ad

# Manually added below
auto_private_groups = true

Restart the sssd service, removing the sssd database:

service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start

vi /etc/samba/smb.conf

[global]
        workgroup = ADS
        server string = Samba File Server %v - %s
        hosts allow = 127. 192.168.
        log file = /var/log/samba/log.%m
        log level =3
        max log size = 50
        passdb backend = tdbsam
    encrypt passwords = yes
    idmap config * : range = 10000-20000
    password server = *
    security = ads
    server signing = disabled
        realm = ADS.EXAMPLE.COM
        printing = cups
        printcap name = cups
        load printers = no
        cups options = raw
        printcap name = /dev/null

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

On a random CentOS Machine/Client 1 cat /etc/fstab

//server/username /media/server1username    cifs            credentials=/home/username/.smbcredentials,users,auto,uid=root,gid=root 0  0

cat /home/username/.smbcredentials

username=username
password=123456
domain=ADS

On the above, I have tried different username and domain combinations. No connection was successful (ADS\username, username@ads.example.com, \, @)

mount /media/server1username

When running mount, this is what is shown in the server logs for client 1 tail -f /var/log/samba/log.client1

[2019/01/31 21:16:17.068695,  3] ../source3/smbd/oplock.c:1340(init_oplocks)
  init_oplocks: initializing messages.
[2019/01/31 21:16:17.068824,  3] ../source3/smbd/process.c:1958(process_smb)
  Transaction 0 of length 73 (0 toread)
[2019/01/31 21:16:17.068853,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBnegprot (pid 10412) conn 0x0
[2019/01/31 21:16:17.069621,  3] ../source3/smbd/negprot.c:628(reply_negprot)
  Requested protocol [LM1.2X002]
[2019/01/31 21:16:17.069659,  3] ../source3/smbd/negprot.c:628(reply_negprot)
  Requested protocol [LANMAN2.1]
[2019/01/31 21:16:17.069668,  3] ../source3/smbd/negprot.c:628(reply_negprot)
  Requested protocol [NT LM 0.12]
[2019/01/31 21:16:17.071456,  3] ../source3/smbd/negprot.c:419(reply_nt1)
  using SPNEGO
[2019/01/31 21:16:17.071480,  3] ../source3/smbd/negprot.c:761(reply_negprot)
  Selected protocol NT LM 0.12
[2019/01/31 21:16:17.073762,  3] ../source3/smbd/process.c:1958(process_smb)
  Transaction 1 of length 232 (0 toread)
[2019/01/31 21:16:17.073806,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBsesssetupX (pid 10412) conn 0x0
[2019/01/31 21:16:17.073833,  3] ../source3/smbd/sesssetup.c:604(reply_sesssetup_and_X)
  wct=12 flg2=0xd801
[2019/01/31 21:16:17.073846,  3] ../source3/smbd/sesssetup.c:106(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2019/01/31 21:16:17.073861,  3] ../source3/smbd/sesssetup.c:147(reply_sesssetup_and_X_spnego)
  NativeOS=[Linux version 4.4.171-1.el7.elrepo.x86_64] NativeLanMan=[CIFS VFS Client for Linux] PrimaryDomain=[]
[2019/01/31 21:16:17.074061,  3] ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe0080225
[2019/01/31 21:16:17.077279,  3] ../source3/smbd/process.c:1958(process_smb)
  Transaction 2 of length 448 (0 toread)
[2019/01/31 21:16:17.077323,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBsesssetupX (pid 10412) conn 0x0
[2019/01/31 21:16:17.077378,  3] ../source3/smbd/sesssetup.c:604(reply_sesssetup_and_X)
  wct=12 flg2=0xd801
[2019/01/31 21:16:17.077389,  3] ../source3/smbd/sesssetup.c:106(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2019/01/31 21:16:17.077408,  3] ../source3/smbd/sesssetup.c:147(reply_sesssetup_and_X_spnego)
  NativeOS=[Linux version 4.4.171-1.el7.elrepo.x86_64] NativeLanMan=[CIFS VFS Client for Linux] PrimaryDomain=[]
[2019/01/31 21:16:17.077463,  3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[username] domain=[ADS] workstation=[] len1=0 len2=148
[2019/01/31 21:16:17.077514,  3] ../source3/param/loadparm.c:3868(lp_load_ex)
  lp_load_ex: refreshing parameters
[2019/01/31 21:16:17.077576,  3] ../source3/param/loadparm.c:547(init_globals)
  Initialising global parameters
[2019/01/31 21:16:17.077660,  3] ../source3/param/loadparm.c:2782(lp_do_section)
  Processing section "[global]"
[2019/01/31 21:16:17.077750,  2] ../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[homes]"
[2019/01/31 21:16:17.077779,  2] ../source3/param/loadparm.c:2799(lp_do_section)
  Processing section "[stefani]"
[2019/01/31 21:16:17.077948,  3] ../source3/param/loadparm.c:1617(lp_add_ipc)
  adding IPC service
[2019/01/31 21:16:17.078006,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [ADS]\[username]@[] with the new password interface
[2019/01/31 21:16:17.078028,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [ADS]\[username]@[]
[2019/01/31 21:16:17.078117,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [username] -> [username] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2019/01/31 21:16:17.078173,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB,(null)] user [ADS]\[username] at [Thu, 31 Jan 2019 21:16:17.078154 CET] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:192.168.0.2:33402] mapped to [ADS]\[username]. local host [ipv4:192.168.0.10:445] 
[2019/01/31 21:16:17.078200,  3] ../auth/auth_log.c:591(log_no_json)
  log_no_json: JSON auth logs not available unless compiled with jansson
[2019/01/31 21:16:17.078269,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(247) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2019/01/31 21:16:17.205669,  3] ../source3/smbd/server_exit.c:236(exit_server_common)
  Server exit (failed to receive smb request)

Now whilst I understand, that sssd does not support NTLM, how would I connect? I am trying to avoid winbind. Is there something wrong in my settings or is the non-winbind setup not supported on linux/CentOS?

I have also tried connecting via KDE but also to no success (I thought trying via mount is easier for issue detection).