Trust fails between IPA 4.5.4 and Samba AD DC 4.8.1 (MIT Kerberos) -- CIFS server denied credentials
When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1 (MIT Kerberos), it fails with the following error:
[root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC --range-type=ipa-ad-trust --two-way=true --admin=Administrator --server dc.atlas5.hpc Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials
IPA Server Versions
-------------------
root@atlas5ipa samba]# rpm -qa | grep ipa python2-ipaclient-4.5.4-10.el7.centos.noarch ipa-server-trust-ad-4.5.4-10.el7.centos.x86_64 python-ipaddress-1.0.16-2.el7.noarch python-libipa_hbac-1.16.0-19.el7.x86_64 sssd-ipa-1.16.0-19.el7.x86_64 ipa-server-4.5.4-10.el7.centos.x86_64 ipa-python-compat-4.5.4-10.el7.centos.noarch python-iniparse-0.4-9.el7.noarch ipa-common-4.5.4-10.el7.centos.noarch python2-ipaserver-4.5.4-10.el7.centos.noarch ipa-client-4.5.4-10.el7.centos.x86_64 ipa-server-dns-4.5.4-10.el7.centos.noarch libipa_hbac-1.16.0-19.el7.x86_64 ipa-server-common-4.5.4-10.el7.centos.noarch python2-ipalib-4.5.4-10.el7.centos.noarch ipa-client-common-4.5.4-10.el7.centos.noarch
[root@atlas5ipa samba]# rpm -qa | grep samba samba-libs-4.7.1-6.el7.x86_64 samba-common-tools-4.7.1-6.el7.x86_64 samba-winbind-4.7.1-6.el7.x86_64 samba-client-libs-4.7.1-6.el7.x86_64 samba-4.7.1-6.el7.x86_64 samba-winbind-modules-4.7.1-6.el7.x86_64 samba-python-4.7.1-6.el7.x86_64 samba-common-libs-4.7.1-6.el7.x86_64 samba-common-4.7.1-6.el7.noarch
Samba DC Server Versions ------------------------ Samba 4.8.1 compiled with MIT Kerberos against GNUTLS 3.5.0
Note: The IPA server and Samba AD server are running on separate VM's. Both have CentOS 7.3.1611 installed.
Here are the last few lines in the /var/log/httpd/error_log file from the IPA server. You can see that information about both sides is being exchanged but it ends up failing. --- signed SMB2 message lsa_lsaRSetForestTrustInformation: struct lsa_lsaRSetForestTrustInformation out: struct lsa_lsaRSetForestTrustInformation collision_info : * collision_info : NULL result : NT_STATUS_OK rpc reply data: lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName in: struct lsa_QueryTrustedDomainInfoByName handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000016-0000-0000-f15a-25affc130000 trusted_domain : * trusted_domain: struct lsa_String length : 0x0014 (20) size : 0x0014 (20) string : * string : 'atlas5.hpc' level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8) signed SMB2 message lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName out: struct lsa_QueryTrustedDomainInfoByName info : * info : NULL result : NT_STATUS_OBJECT_NAME_NOT_FOUND lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2 in: struct lsa_CreateTrustedDomainEx2 policy_handle : * policy_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000016-0000-0000-f15a-25affc130000 info : * info: struct lsa_TrustDomainInfoInfoEx domain_name: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'atlas5.hpc' netbios_name: struct lsa_StringLarge length : 0x000c (12) size : 0x000e (14) string : * string : 'ATLAS5' sid : * sid : S-1-5-21-600493320-3079828444-3896724992 trust_direction : 0x00000003 (3) 1: LSA_TRUST_DIRECTION_INBOUND 1: LSA_TRUST_DIRECTION_OUTBOUND trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION auth_info_internal : * auth_info_internal: struct lsa_TrustDomainInfoAuthInfoInternal auth_blob: struct lsa_DATA_BUF2 size : 0x00000440 (1088) data : * data: ARRAY(1088) access_mask : 0x00010000 (65536) 0: LSA_TRUSTED_QUERY_DOMAIN_NAME 0: LSA_TRUSTED_QUERY_CONTROLLERS 0: LSA_TRUSTED_SET_CONTROLLERS 0: LSA_TRUSTED_QUERY_POSIX 0: LSA_TRUSTED_SET_POSIX 0: LSA_TRUSTED_SET_AUTH 0: LSA_TRUSTED_QUERY_AUTH signed SMB2 message lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2 out: struct lsa_CreateTrustedDomainEx2 trustdom_handle : * trustdom_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_ACCESS_DENIED [Tue May 08 10:07:34.739980 2018] [:error] [pid 3854] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN.COM: trust_add/1(u'ATLAS5.HPC', realm_admin=u'Administrator', realm_passwd=u'********', realm_server=u'dc.atlas5.hpc', range_type=u'ipa-ad-trust', bidirectional=True, version=u'2.228'): ACIError --- When you look at the Samba AD trust list, it shows the following entry. If you delete the trust and try to add it again, the entry comes back. [root@atlas5dc samba]# bin/samba-tool domain trust list Type[Forest] Transitive[Yes] Direction[BOTH] Name[ipa.domain.com]
I have poured over this for days and cannot find a reason why it's saying NT_STATUS_ACCESS_DENIED. I've tried verifying all the tedious details like DNS SRV records and user SIDs, so now I feel like it's going to be something more obvious :)
Thanks,
nate
On ti, 08 touko 2018, Nathan Brown via FreeIPA-users wrote:
When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1 (MIT Kerberos), it fails with the following error:
[root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC --range-type=ipa-ad-trust --two-way=true --admin=Administrator --server dc.atlas5.hpc Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials
Trust between Samba 4.x and FreeIPA is not supported yet. I have some patches in progress but not finished yet.
Alexander,
Thanks for the quick reply. We are wanting to “migrate” (manually) to IPA 4 (from IPA 3) and wish to use the new ipaNTHash attributes instead of the legacy Samba LDAP schema. The problem we are facing is that we need to use ipasam.so with Samba 4 if we want use the new attributes.
At each site, we have an IPA 4 instance and Windows clients that need to be joined to a domain and a Linux file server that needs to also run Samba. I was hoping to use Samba4 AD with a Trust to the local IPA so we can use the AD features.
I hope what we are trying to do (upgrade) makes sense. Do you have any recommendations?
Thanks,
nate
On May 8, 2018, at 11:27, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 08 touko 2018, Nathan Brown via FreeIPA-users wrote: When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1 (MIT Kerberos), it fails with the following error:
[root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC --range-type=ipa-ad-trust --two-way=true --admin=Administrator --server dc.atlas5.hpc Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials
Trust between Samba 4.x and FreeIPA is not supported yet. I have some patches in progress but not finished yet.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ti, 08 touko 2018, Nathan Brown wrote:
Alexander,
Thanks for the quick reply. We are wanting to “migrate” (manually) to IPA 4 (from IPA 3) and wish to use the new ipaNTHash attributes instead of the legacy Samba LDAP schema. The problem we are facing is that we need to use ipasam.so with Samba 4 if we want use the new attributes.
At each site, we have an IPA 4 instance and Windows clients that need to be joined to a domain and a Linux file server that needs to also run Samba. I was hoping to use Samba4 AD with a Trust to the local IPA so we can use the AD features.
I hope what we are trying to do (upgrade) makes sense. Do you have any recommendations?
Trust between Samba AD and IPA would make sense, yes. Note that it would work with Heimdal-based Samba AD to a degree, but MIT build is broken. I started looking into actual flow and found some areas where we needed fixes in both SSSD and IPA too. Thus, I'm saying that this setup does not work right now.
A part of the work can be tracked with https://github.com/SSSD/sssd/pull/522, https://lists.samba.org/archive/samba-technical/2018-March/125974.html, and https://github.com/abbra/freeipa/commits/trust-samba-ad These patch sets aren't finished yet...
Thanks,
nate
On May 8, 2018, at 11:27, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 08 touko 2018, Nathan Brown via FreeIPA-users wrote: When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1 (MIT Kerberos), it fails with the following error:
[root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC --range-type=ipa-ad-trust --two-way=true --admin=Administrator --server dc.atlas5.hpc Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials
Trust between Samba 4.x and FreeIPA is not supported yet. I have some patches in progress but not finished yet.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Nathan Brown