Hello everyone,
I am attempting to setup a samba file server that uses IPA as a proxy to authentication AD users. I am using the document below as a template but its not working as currently documented. I am wondering if something has changed on the code since that time but the doc hasn't had any update.
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
For the samba client, this is the version of binaries that I am using:
[root@samba4 ~]# rpm -qa | grep samba samba-common-tools-4.7.1-6.el7.x86_64 samba-common-libs-4.7.1-6.el7.x86_64 samba-common-4.7.1-6.el7.noarch samba-4.7.1-6.el7.x86_64 samba-client-libs-4.7.1-6.el7.x86_64 samba-client-4.7.1-6.el7.x86_64 samba-libs-4.7.1-6.el7.x86_64
For IPA server, this is the version I am running:
ipa-server-4.5.4-10.el7_5.1.x86_64
There is a trust relationship between the IPA and the Active directory. The AD is on corp.example.com domain and the IPA is on eng.example.com. When I point any of the IPA clients to \samba4.eng.example.com, all works as expected. However, when I point any of the AD clients (Windows 10) to \samba4.eng.example.com, I am not having any joy. After parsing the logs, the section below looks like the most relevant part of the logs. What would cause this issue? Any pointer on how to overcome it would be highly appreciated.
Another odd thing is, if I enroll a RHEL 7 system to AD, and then attempt to browse the samba share, everything works fine.
I have shared the full logs on the following link too.
Regards,
William
[2018/06/13 13:42:20.963867, 5, pid=14330, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/06/13 13:42:20.963942, 5, pid=14330, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2018/06/13 13:42:20.964334, 10, pid=14330, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:1326(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2018/06/13 13:42:20.965559, 10, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3011(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:96] at ../source3/smbd/smb2_negprot.c:657
[2018/06/13 13:42:20.965625, 10, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:923(smb2_set_operation_credit)
smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 512/512, total granted/max/low/range 1/8192/2/1
[2018/06/13 13:42:35.997960, 10, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1080(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: conn[ipv4:192.168.11.108:61944] reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3935
[2018/06/13 13:42:35.998102, 4, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/06/13 13:42:35.998142, 5, pid=14330, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/06/13 13:42:35.998174, 5, pid=14330, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
On ke, 13 kesä 2018, William Muriithi via FreeIPA-users wrote:
Hello everyone,
I am attempting to setup a samba file server that uses IPA as a proxy to authentication AD users. I am using the document below as a template but its not working as currently documented. I am wondering if something has changed on the code since that time but the doc hasn't had any update.
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
For the samba client, this is the version of binaries that I am using:
[root@samba4 ~]# rpm -qa | grep samba samba-common-tools-4.7.1-6.el7.x86_64 samba-common-libs-4.7.1-6.el7.x86_64 samba-common-4.7.1-6.el7.noarch samba-4.7.1-6.el7.x86_64 samba-client-libs-4.7.1-6.el7.x86_64 samba-client-4.7.1-6.el7.x86_64 samba-libs-4.7.1-6.el7.x86_64
For IPA server, this is the version I am running:
ipa-server-4.5.4-10.el7_5.1.x86_64
There is a trust relationship between the IPA and the Active directory. The AD is on corp.example.com domain and the IPA is on eng.example.com. When I point any of the IPA clients to \samba4.eng.example.com, all works as expected. However, when I point any of the AD clients (Windows 10) to \samba4.eng.example.com, I am not having any joy. After parsing the logs, the section below looks like the most relevant part of the logs. What would cause this issue? Any pointer on how to overcome it would be highly appreciated.
Yes, it is not supported right now.
Morning Alexander,
There is a trust relationship between the IPA and the Active directory. The AD is on corp.example.com domain and the IPA is on eng.example.com. When I point any of the IPA clients to \samba4.eng.example.com, all works as expected. However, when I point any of the AD clients (Windows 10) to \samba4.eng.example.com, I am not having any joy. After parsing the logs, the section below looks like the most relevant part of the logs. What would cause this issue? Any pointer on how to overcome it would be highly appreciated.
Yes, it is not supported right now.
Quick follow up question, what samba setup would you recommend for someone who is already using IPA in the interim? A link would be sufficient if you do recall seeing someone who have documented a working setup
Regards, William
On to, 14 kesä 2018, William Muriithi via FreeIPA-users wrote:
Morning Alexander,
There is a trust relationship between the IPA and the Active directory. The AD is on corp.example.com domain and the IPA is on eng.example.com. When I point any of the IPA clients to \samba4.eng.example.com, all works as expected. However, when I point any of the AD clients (Windows 10) to \samba4.eng.example.com, I am not having any joy. After parsing the logs, the section below looks like the most relevant part of the logs. What would cause this issue? Any pointer on how to overcome it would be highly appreciated.
Yes, it is not supported right now.
Quick follow up question, what samba setup would you recommend for someone who is already using IPA in the interim? A link would be sufficient if you do recall seeing someone who have documented a working setup
As I said, it is not going to work reliably from Windows clients in the current setup. The two notes at the top of the wiki page you referred to are our current take on it.
freeipa-users@lists.fedorahosted.org