Hi,
I am trying to setup FreeIPA to authenticate users logging into Linux systems, but would also like to use this to authenticate users accessing Samba shares from Windows clients. The problem is that I cannot access the shares at all from Windows clients and when I try to access a share from a Linux client, the following error message is printed:
robert@workstation 14:13:09 > smbclient //192.168.0.xx/samba -U robert WARNING: The "syslog" option is deprecated krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) Enter WORKGROUP\robert's password: krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) session setup failed: NT_STATUS_LOGON_FAILURE
Information regarding the setup:
- The FreeIPA + Samba server (samba.linux.company.local) is a VM running CentOS 7. The FreeIPA version is "VERSION: 4.5.4, API_VERSION: 2.228". The Samba version is 4.7.1. - The firewalls on the server, VM host and clients are turned off for debugging purposes. - SELINUX is also turned off. - This was a fresh install and FreeIPA was setup with the following commands:
sudo yum install ipa-server sudo ipa-server-install
Do you want to configure integrated DNS (BIND)? [no]: no Server host name [ipa.company.local]: samba.linux.company.local Please confirm the domain name [company.local]: samba.linux.company.local Please provide a realm name [SAMBA.COMPANY.LOCAL]: SAMBA.LINUX.COMPANY.LOCAL
- The users can log into the Linux workstations that have been enrolled, suggesting that the setup is at least partly correct.
The Windows clients are not enrolled into the FreeIPA domain and are instead in the domain company.local. I followed the instructions here (https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/...) with the following options:
yum install ipa-server-trust-ad sudo ipa-adtrust-install
Enable trusted domains support in slapi-nis? [no]: no NetBIOS domain name [LINUX]: LINUX Do you want to run the ipa-sidgen task? [no]: yes
Followed by:
sudo mkdir /samba sudo chmod 777 /samba sudo net conf addshare samba /samba writeable=y guest_ok=n sudo systemctl restart smb
Running sudo net conf list produces the following output:
[global] workgroup = LINUX netbios name = SAMBA realm = LINUX.COMPANY.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-COMPANY-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=linux,dc=company,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork
[samba] path = /samba guest ok = yes read only = no
When I try to mount the share on Windows clients (either with \192.168.0.xx\samba or \samba.linux.company.local in Explorer) it states that 'The user name or password is incorrect.' I am not convinced that this is the case, however, since the same message is displayed even if the share is created with the option 'guest_ok=y'.
If I try to mount the 'guest_ok=y' share from a Linux client in the FreeIPA realm, I at least get an error message:
robert@workstation 14:13:09 > smbclient //192.168.0.xx/samba -U username WARNING: The "syslog" option is deprecated krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) Enter LINUX\robert's password: krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) session setup failed: NT_STATUS_LOGON_FAILURE
Under both Windows and Linux I have tried all combinations of domain (LINUX, SAMBA, WORKGROUP) and various user that I can think of, but with no success.
Does anyone have an idea what the issue might be? I previously created the above setup on a pair of VMs and everything worked as expected, but am having difficulty reproducing it here....
Many thanks in advance for any help and suggestions! Please let me know if you need any more information.
Rob
On to, 29 marras 2018, Robert Byrne via FreeIPA-users wrote:
Hi,
I am trying to setup FreeIPA to authenticate users logging into Linux systems, but would also like to use this to authenticate users accessing Samba shares from Windows clients. The problem is that I cannot access the shares at all from Windows clients and when I try to access a share from a Linux client, the following error message is printed:
We do not support this yet. Mounting shares from Windows requires Windows applications to look up user and groups via Global Catalog service on the side of the domain where share belongs to (IPA). As we do not provide GC service, Windows clients fail.
As to the other direction, there are known bugs too. I recently outlined some of them on samba-technical@ -- https://lists.samba.org/archive/samba-technical/2018-November/131274.html
Hi,
A belated thanks for the reply and I seem to have solved the problem. The cause might have been obvious to others, but I will describe it here briefly in case it helps others:
- We have a FreeIPA server and this exports a number of directories by Samba. FreeIPA was setup as described above and Samba as described here (https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/...). - There is no trust with the Windows domain / AD. Some of the users are also using OSX. - FreeIPA users were unable to mount the Samba shares if they entered \samba.linux.company.local\samba_share_name in e.g. Windows Explorer. - The issue was that I had changed the users' UIDs and GIDs from those automatically assigned by the Web UI to their current values to aid migration. The values were then outside of the local domain range defined in the IPA server > ID ranges tab of the Web UI. As soon as this range was changed (in my case through reinstalling FreeIPA server with the option "--idstart=2000") the users could mount the shares from Windows.
A bit frustrating, but still a lot easier than setting up LDAP even without Samba! :-)
Somewhat off-topic. Does anyone know if the connection between the clients (Windows or OSX) and the FreeIPA/Samba server is encrypted or how I could find this out? This is the output of 'net conf list':
[global] workgroup = LINUX netbios name = IPA realm = LINUX.CRELUX.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-CRELUX-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=linux,dc=crelux,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork
I guess from the line 'ldap ssl = off' that the user credentials are being sent in plain-text. Is this correct?
Best regards, Rob
On ke, 05 joulu 2018, Robert Byrne via FreeIPA-users wrote:
Hi,
A belated thanks for the reply and I seem to have solved the problem. The cause might have been obvious to others, but I will describe it here briefly in case it helps others:
- We have a FreeIPA server and this exports a number of directories by Samba. FreeIPA was setup as described above and Samba as described here (https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/...).
- There is no trust with the Windows domain / AD. Some of the users are also using OSX.
- FreeIPA users were unable to mount the Samba shares if they entered \samba.linux.company.local\samba_share_name in e.g. Windows Explorer.
- The issue was that I had changed the users' UIDs and GIDs from those automatically assigned by the Web UI to their current values to aid migration. The values were then outside of the local domain range defined in the IPA server > ID ranges tab of the Web UI. As soon as this range was changed (in my case through reinstalling FreeIPA server with the option "--idstart=2000") the users could mount the shares from Windows.
A bit frustrating, but still a lot easier than setting up LDAP even without Samba! :-)
Somewhat off-topic. Does anyone know if the connection between the clients (Windows or OSX) and the FreeIPA/Samba server is encrypted or how I could find this out? This is the output of 'net conf list':
[global] workgroup = LINUX netbios name = IPA realm = LINUX.CRELUX.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-CRELUX-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=linux,dc=crelux,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork
I guess from the line 'ldap ssl = off' that the user credentials are being sent in plain-text. Is this correct?
passdb backend is set to use 'ipasam' module with LDAPI protocol which is LDAP over Unix domain socket. It doesn't use SSL but instead uses GSSAPI for authentication and signing. So first, the data is not sent over network, only between two daemons on the same machine over a UNIX domain socket. And second, the channel set up with GSSAPI and it is encrypted even for that UNIX domain socket.
Use of 'ldap ssl = off' is to avoid hitting the code paths in Samba that require to handle certificate for the case where they are not needed at all.
Hope this helps.
Is there any possibility to use the vault feature for external (AD) users?
freeipa-users@lists.fedorahosted.org