[Freeipa-users] FreeIPA 3.3.3-28 Integration with Samba 4.1.1-37 Problems

Jason Smith jasonsmith at attask.com
Tue Oct 28 18:36:58 UTC 2014

A little history.  We migrated from an OpenLDAP system to FreeIPA.  The IPA
version is listed above.  I have samba installed and integrated directly on
the FreeIPA box.
The problem we're having are users who were migrated can no longer can see
the samba shares.  We are connecting to these shares through Mac OSX.  When
accessing the share with smbclient -L mydomain at domain.com I get the
response *session setup failed: NT_STATUS_CONNECTION_DISCONNECTED.  *This
is the response I get when connected to the FreeIPA/Samba box.

Users were able to access these shares, then overnight, they weren't.  No
changes were made to the samba config or the FreeIPA.  *Any new user
created through FreeIPA can see and browse any share they have access to.*

If there's any other information needed, please let me know.  Thank you!!!

Below are a couple configs I have set:

*Samba global settings*
    workgroup = ATTASK
    netbios name = IPA01
    realm = ATTASK.CORP
    passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket
    kerberos method = dedicated keytab
    dedicated keytab file = FILE:/etc/samba/samba.keytab
    log file = /var/log/samba/log.%m
    max log size = 100000
    disable spoolss = Yes
    domain logons = Yes
    domain master = Yes
    ldap group suffix = cn=groups,cn=accounts
    ldap machine suffix = cn=computers,cn=accounts
    ldap suffix = dc=attask,dc=corp
    ldap ssl = no
    ldap user suffix = cn=users,cn=accounts
    registry shares = Yes
    create krb5 conf = No
    rpc_daemon:lsasd = fork
    rpc_daemon:epmd = fork
    rpc_server:tcpip = yes
    rpc_server:netlogon = external
    rpc_server:samr = external
    rpc_server:lsasd = external
    rpc_server:lsass = external
    rpc_server:lsarpc = external
    rpc_server:epmapper = external
    ldapsam:trusted = yes
    idmap config * : backend = tdb

*User Not Working:*
 dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp
  uid: test
  sn: test
  cn: test
  mail: test at test.com
  nsaccountlock: False
  has_password: True
  has_keytab: True
  dialupAccess: yes
  displayName: test test
  emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw==
  gidNumber: 107001365
  givenName: test
  homeDirectory: /home/test
  ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355
  ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7
  krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA=
  krbLastFailedAuth: 20141028151647Z
  krbLastPwdChange: 20141028152120Z
  krbLastSuccessfulAuth: 20141028152012Z
  krbLoginFailedCount: 0
  krbPasswordExpiration: 20150122152120Z
  krbPrincipalName: test at ATTASK.CORP
  krbTicketFlags: 128
  loginShell: /sbin/nologin
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp
  memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp
  memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: organizationalperson
  objectClass: top
  objectClass: customPersonAttributes
  objectClass: ipasshuser
  objectClass: inetorgperson
  objectClass: sambaSamAccount
  objectClass: person
  objectClass: inetuser
  objectClass: krbprincipalaux
  objectClass: radiusProfile
  objectClass: posixaccount
  objectClass: ipaSshGroupOfPubKeys
  objectClass: ipantuserattrs
  radiusTunnelMediumType: IEEE-802
  radiusTunnelPrivateGroupId: 1424
  radiusTunnelType: VLAN
  sambaPwdLastSet: 0
  sambaSID: S-1-5-21-1103557689-1565082434-1264062975-5622
  uidNumber: 107001355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141028/361b54d0/attachment.htm>

More information about the Freeipa-users mailing list