I am trying to set up a samba server as part of a freeipa domain. I'd like users on windows machines from two trusted AD domains to access shares on the server (both users and computers are in the trusted AD domains). I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain member", https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA) and built a couple of servers using CentOS 8; results are the same each time -- no worky.
These servers integrate with Freeipa fine -- users from both trusted AD domains can SSH in etc. But errors are legion in samba. Both IPA and AD domains (and the trust relationshipts) have been in production for a while working fine so I'm pretty confident DNS is ok. Kerberos seems to be working fine too as I can kinit users in all domains OK from the samba box. I'm confident firewalls are not blocking anything. I'm thinking it's winbind that is the key problem, with it somehow not being able to auth to the AD domains, but I'm not experienced with Samba/winbind so I'm struggling after all day on it. Any guidance would be appreciated.
-----
[root@ner-cont-tfer01 samba]# cat log.smbd [2020/03/03 18:49:25.650974, 0] ../../source3/smbd/server.c:1782(main) smbd version 4.10.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2019 [2020/03/03 18:49:25.651595, 2] ../../source3/lib/tallocmsg.c:56(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2020/03/03 18:49:25.651616, 2] ../../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2020/03/03 18:49:25.651658, 3] ../../source3/param/loadparm.c:3872(lp_load_ex) lp_load_ex: refreshing parameters [2020/03/03 18:49:25.651703, 3] ../../source3/param/loadparm.c:550(init_globals) Initialising global parameters [2020/03/03 18:49:25.651773, 3] ../../source3/param/loadparm.c:2786(lp_do_section) Processing section "[global]" [2020/03/03 18:49:25.651976, 2] ../../source3/param/loadparm.c:2803(lp_do_section) Processing section "[transfer]" [2020/03/03 18:49:25.652112, 3] ../../source3/param/loadparm.c:1621(lp_add_ipc) adding IPC service [2020/03/03 18:49:25.652353, 2] ../../source3/lib/interface.c:345(add_interface) added interface ens160 ip=10.13.10.46 bcast=10.13.10.255 netmask=255.255.255.0 [2020/03/03 18:49:25.652401, 3] ../../source3/smbd/server.c:1851(main) loaded services [2020/03/03 18:49:25.662297, 1] ../../source3/profile/profile.c:51(set_profile_level) INFO: Profiling turned OFF from pid 2872 [2020/03/03 18:49:25.662333, 3] ../../source3/smbd/server.c:1871(main) Standard input is not a socket, assuming -D option [2020/03/03 18:49:25.662347, 3] ../../source3/smbd/server.c:1883(main) Becoming a daemon. [2020/03/03 18:49:25.662669, 2] ../../source3/passdb/pdb_interface.c:161(make_pdb_method_name) No builtin backend found, trying to load plugin [2020/03/03 18:49:25.667658, 3] ../../lib/util/modules.c:167(load_module_absolute_path) load_module_absolute_path: Module '/usr/lib64/samba/pdb/tdbsam.so' loaded [2020/03/03 18:49:25.670380, 3] ../../source3/lib/util_procid.c:54(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2020/03/03 18:49:25.708568, 3] ../../source3/rpc_server/svcctl/srv_svcctl_reg.c:565(svcctl_init_winreg) Initialise the svcctl registry keys if needed. [2020/03/03 18:49:25.710710, 3] ../../source3/rpc_server/eventlog/srv_eventlog_reg.c:59(eventlog_init_winreg) Initialise the eventlog registry keys if needed. [2020/03/03 18:49:25.711103, 0] ../../lib/util/become_daemon.c:136(daemon_ready) daemon_ready: daemon 'smbd' finished starting up and ready to serve connections [2020/03/03 18:49:25.711395, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.716447, 3] ../../source3/libads/ldap.c:636(ads_connect) Successfully contacted LDAP server 10.17.10.60 [2020/03/03 18:49:25.716507, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.717755, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.720066, 3] ../../source3/libads/ldap.c:636(ads_connect) Successfully contacted LDAP server 10.17.10.60 [2020/03/03 18:49:25.729787, 3] ../../source3/libads/ldap.c:679(ads_connect) Connected to LDAP server ld9-cont-idm2.idm.domain.lan [2020/03/03 18:49:25.733298, 3] ../../source3/printing/nt_printing_ads.c:650(check_published_printers) ads_connect failed: No results returned [2020/03/03 18:49:25.733672, 0] ../../source3/printing/nt_printing.c:249(nt_printing_init) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2020/03/03 18:49:25.733738, 3] ../../source3/printing/queue_process.c:328(start_background_queue) start_background_queue: Starting background LPQ thread [2020/03/03 18:49:25.736685, 1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh) Failed to fetch record! [2020/03/03 18:49:25.736760, 2] ../../source3/smbd/server.c:1415(smbd_parent_loop) waiting for connections [2020/03/03 18:49:25.737512, 3] ../../source3/printing/pcap.c:140(pcap_cache_reload) reloading printcap cache [2020/03/03 18:49:25.738321, 3] ../../source3/printing/pcap.c:194(pcap_cache_reload) reload status: ok [2020/03/03 18:49:25.739690, 3] ../../source3/printing/print_cups.c:158(cups_connect) Unable to connect to CUPS server localhost:631 - Bad file descriptor [2020/03/03 18:49:25.740315, 3] ../../source3/printing/print_cups.c:536(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2020/03/03 18:49:25.740359, 2] ../../lib/util/tevent_debug.c:66(samba_tevent_debug) samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x557b78295c20] mpx_fde[(nil)] fd[15] - disabling
-----
[root@ner-cont-tfer01 samba]# cat log.winbindd [2020/03/03 18:49:25.540832, 0] ../../source3/winbindd/winbindd.c:1731(main) winbindd version 4.10.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2019 [2020/03/03 18:49:25.541626, 2] ../../source3/lib/tallocmsg.c:56(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2020/03/03 18:49:25.541648, 2] ../../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2020/03/03 18:49:25.541685, 3] ../../source3/param/loadparm.c:3872(lp_load_ex) lp_load_ex: refreshing parameters [2020/03/03 18:49:25.541729, 3] ../../source3/param/loadparm.c:550(init_globals) Initialising global parameters [2020/03/03 18:49:25.541748, 2] ../../source3/param/loadparm.c:322(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2020/03/03 18:49:25.541812, 3] ../../source3/param/loadparm.c:2786(lp_do_section) Processing section "[global]" [2020/03/03 18:49:25.542292, 2] ../../source3/lib/interface.c:345(add_interface) added interface ens160 ip=10.13.10.46 bcast=10.13.10.255 netmask=255.255.255.0 [2020/03/03 18:49:25.542439, 2] ../../source3/lib/interface.c:345(add_interface) added interface ens160 ip=10.13.10.46 bcast=10.13.10.255 netmask=255.255.255.0 [2020/03/03 18:49:25.544253, 2] ../../source3/passdb/pdb_interface.c:161(make_pdb_method_name) No builtin backend found, trying to load plugin [2020/03/03 18:49:25.549553, 3] ../../lib/util/modules.c:167(load_module_absolute_path) load_module_absolute_path: Module '/usr/lib64/samba/pdb/tdbsam.so' loaded [2020/03/03 18:49:25.549763, 0] ../../source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2020/03/03 18:49:25.552125, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32] [2020/03/03 18:49:25.552184, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain: Added domain [NER-CONT-TFER01] [(null)] [S-1-5-21-3888470300-4080800567-3624582073] [2020/03/03 18:49:25.552238, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain: Added domain [IDM] [IDM.CONTENT.domain.lan] [S-1-5-21-2682878861-151095253-3776833076] [2020/03/03 18:49:25.552602, 0] ../../lib/util/become_daemon.c:136(daemon_ready) daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections [2020/03/03 18:49:25.704494, 3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version) winbindd_interface_version: [smbd (2872)]: request interface version (version = 31) [2020/03/03 18:49:25.704604, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping) winbindd_ping: [smbd (2872)]: ping [2020/03/03 18:49:25.795046, 1] ../../source3/winbindd/winbindd_util.c:442(trustdom_list_done) trustdom_list_done: Could not receive trusts for domain IDM
-----
[root@ner-cont-tfer01 samba]# cat log.wb-IDM [2020/03/03 18:49:25.568371, 3] ../../source3/winbindd/winbindd_cm.c:2148(connection_ok) connection_ok: Connection to (null) for domain IDM is not connected [2020/03/03 18:49:25.580016, 3] ../../source3/libads/ldap.c:636(ads_connect) Successfully contacted LDAP server 10.17.10.60 [2020/03/03 18:49:25.580096, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.591042, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.613487, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 445 [2020/03/03 18:49:25.658699, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2020/03/03 18:49:25.658913, 3] ../../source3/libsmb/cliconnect.c:273(cli_session_creds_prepare_krb5) got OID=1.2.840.48018.1.2.2 [2020/03/03 18:49:25.696869, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_spnego' registered [2020/03/03 18:49:25.696927, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5' registered [2020/03/03 18:49:25.696942, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2020/03/03 18:49:25.696954, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'spnego' registered [2020/03/03 18:49:25.696970, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'schannel' registered [2020/03/03 18:49:25.696983, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2020/03/03 18:49:25.696996, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2020/03/03 18:49:25.697008, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp' registered [2020/03/03 18:49:25.697019, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2020/03/03 18:49:25.697031, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_basic' registered [2020/03/03 18:49:25.697043, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_ntlm' registered [2020/03/03 18:49:25.697055, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_negotiate' registered [2020/03/03 18:49:25.774922, 3] ../../source3/winbindd/winbindd_misc.c:291(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: [ 2869]: list trusted domains [2020/03/03 18:49:25.774969, 3] ../../source3/winbindd/winbindd_ads.c:1400(trusted_domains) ads: trusted_domains [2020/03/03 18:49:25.775303, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2020/03/03 18:49:25.775766, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 135 [2020/03/03 18:49:25.777290, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 49152 [2020/03/03 18:49:25.790440, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 135 [2020/03/03 18:49:25.792367, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 49152 [2020/03/03 18:49:25.794491, 1] ../../source3/rpc_client/cli_pipe.c:569(cli_pipe_validate_current_pdu) ../../source3/rpc_client/cli_pipe.c:569: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR received from host ld9-cont-idm2.idm.domain.lan! [2020/03/03 18:49:25.794528, 3] ../../source3/winbindd/winbindd_ads.c:1400(trusted_domains) ads: trusted_domains [2020/03/03 18:49:25.794913, 1] ../../source3/rpc_client/cli_pipe.c:569(cli_pipe_validate_current_pdu) ../../source3/rpc_client/cli_pipe.c:569: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR received from host ld9-cont-idm2.idm.domain.lan! [2020/03/03 18:49:25.794945, 3] ../../source3/winbindd/winbindd_misc.c:297(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
-----
There are no users in the IDM domain, but there are groups, yet wbinfo doesn't turn them up:
[root@ner-cont-tfer01 samba]# wbinfo -g [root@ner-cont-tfer01 samba]#
-----
wbinfo can lookup the trusted domains, but doesn't show them as trusted:
[root@ner-cont-tfer01 samba]# wbinfo --getdcname=AD dc2 (no domain portion) [root@ner-cont-tfer01 samba]# wbinfo --getdcname=MOPO dc1.mopo.lan
[root@ner-cont-tfer01 samba]# wbinfo -m BUILTIN NER-CONT-TFER01 IDM
-----
klist shows the principal correctly I think:
[root@ner-cont-tfer01 samba]# klist -k /etc/samba/samba.keytab Keytab name: FILE:/etc/samba/samba.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 cifs/ner-cont-tfer01.idm.domain.lan@IDM.DOMAIN.LAN 1 cifs/ner-cont-tfer01.idm.domain.lan@IDM.DOMAIN.LAN 1 cifs/ner-cont-tfer01.idm.domain.lan@IDM.DOMAIN.LAN
-----
Any pointers appreciated!
On ti, 03 maalis 2020, C T via FreeIPA-users wrote:
I am trying to set up a samba server as part of a freeipa domain. I'd like users on windows machines from two trusted AD domains to access shares on the server (both users and computers are in the trusted AD domains). I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain member", https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA) and built a couple of servers using CentOS 8; results are the same each time -- no worky. These servers integrate with Freeipa fine -- users from both trusted AD domains can SSH in etc. But errors are legion in samba. Both IPA and AD domains (and the trust relationshipts) have been in production for a while working fine so I'm pretty confident DNS is ok. Kerberos seems to be working fine too as I can kinit users in all domains OK from the samba box. I'm confident firewalls are not blocking anything. I'm thinking it's winbind that is the key problem, with it somehow not being able to auth to the AD domains, but I'm not experienced with Samba/winbind so I'm struggling after all day on it. Any guidance would be appreciated.
Your details are not enough. Could you please show exactly what you ran to set up the file server and what problems you see. No need to show Samba logs without that first.
The instructions in RHEL 8 documentation (basically, have RHEL 8.1 machines for IPA master and IPA client, install and run ipa-client-samba tool and start smb/winbind services) should be enough. Anything else is not needed and should not be needed.
Do not look into wbinfo output, it is misleading and is not really relevant here. Show how you set things up. We have SMB setup tested every week in upstream CI, for both IPA users and trusted AD users and there are no issues for quite some time:
Fedora 31: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cb96c692... Fedora 30: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/68aeafbc...
You can expand the reports to see detailed logs, https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_smb.p... is the test suite that defines all those tests.
Can you show how smbclient behaves when you are using it against the SMB server you set up? You can see expected use and expected output in the test reports above.
Also, design documents for the integration are here: Domain Member: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-memb... Domain Controller: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-cont...
I actually think it's working fine now. My problem seems to have been a straightforward file permissions issue, but I was completely thrown by the number of errors in the various logs (even with no debug logging) and the behaviour of wbinfo, and couldn't see the wood for the trees.
Thanks though anyway.
Alexander Bokovoy wrote:
On ti, 03 maalis 2020, C T via FreeIPA-users wrote:
I am trying to set up a samba server as part of a freeipa domain. I'd like users on windows machines from two trusted AD domains to access shares on the server (both users and computers are in the trusted AD domains). I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain member", https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA)
and built a couple of servers using CentOS 8; results are the same each time -- no worky. These servers integrate with Freeipa fine -- users from both trusted AD domains can SSH in etc. But errors are legion in samba. Both IPA and AD domains (and the trust relationshipts) have been in production for a while working fine so I'm pretty confident DNS is ok. Kerberos seems to be working fine too as I can kinit users in all domains OK from the samba box. I'm confident firewalls are not blocking anything. I'm thinking it's winbind that is the key problem, with it somehow not being able to auth to the AD domains, but I'm not experienced with Samba/winbind so I'm struggling after all day on it. Any guidance would be appreciated.
Your details are not enough. Could you please show exactly what you ran to set up the file server and what problems you see. No need to show Samba logs without that first.
The instructions in RHEL 8 documentation (basically, have RHEL 8.1 machines for IPA master and IPA client, install and run ipa-client-samba tool and start smb/winbind services) should be enough. Anything else is not needed and should not be needed.
Do not look into wbinfo output, it is misleading and is not really relevant here. Show how you set things up. We have SMB setup tested every week in upstream CI, for both IPA users and trusted AD users and there are no issues for quite some time:
Fedora 31: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cb96c692... Fedora 30: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/68aeafbc...
You can expand the reports to see detailed logs, https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_smb.p...
is the test suite that defines all those tests.
Can you show how smbclient behaves when you are using it against the SMB server you set up? You can see expected use and expected output in the test reports above.
Also, design documents for the integration are here: Domain Member: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-memb... Domain Controller: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-cont...
freeipa-users@lists.fedorahosted.org