[Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)
William Graboyes
wgraboyes at cenic.org
Wed Jul 22 20:40:08 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Alexander,
Thank you for the pointers, However it seems that I am still not
getting the ipaNTSecurityIdentifier returned. Even after re-running
the ipa-adtrust-install --add-sids (which I believe it gave me the
option for on initial install, and i said yes).
I followed the steps on this site (I believe you directed me there)
http://firstyear.id.au/entry/22
and the output from the commands:
[root at ipa-server-2 ~]# kinit admin
Password for admin at foo.bar:
[root at ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'
SASL/GSSAPI authentication started
SASL username: admin at foo.bar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=foo,dc=bar> (default) with scope subtree
# filter: (cn=Default SMB Group)
# requesting: ALL
#
# Default SMB Group, groups, compat, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar
gidNumber: 3512
objectClass: posixGroup
objectClass: top
cn: Default SMB Group
# Default SMB Group, groups, accounts, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to
this gr
oup
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04
gidNumber: 3512
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
[root at ipa-server-2 ~]# kdestroy
[root at ipa-server-2 ~]# kinit -kt /etc/samba/samba.keytab cifs/`hostname`
[root at ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'
SASL/GSSAPI authentication started
SASL username: cifs/ipa-server-2.foo.bar at foo.bar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=foo,dc=bar> (default) with scope subtree
# filter: (cn=Default SMB Group)
# requesting: ALL
#
# Default SMB Group, groups, compat, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar
gidNumber: 3512
objectClass: posixGroup
objectClass: top
cn: Default SMB Group
# Default SMB Group, groups, accounts, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to
this gr
oup
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04
gidNumber: 3512
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Thanks,
Bill Graboyes
On 7/22/15 12:53 PM, Alexander Bokovoy wrote:
> On Wed, 22 Jul 2015, William Graboyes wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>
>> Hi All,
>>
>> I have been messing around with AD trust installs mainly around
>> doing ntlm_auth for a radius server.
>>
>> However, as I was unable to see some of the needed resources, I
>> thought maybe IPA may need a kick.
>>
> This is your problem:
>> Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
>> 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul
>> 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory
>> attribute ipaNTSecurityIdentifier.
> What did you do?
>
> Try to search as admin and as cifs/`hostname`: # kinit admin #
> ldapsearch -Y GSSAPI '(cn=Default SMB Group)' # kdestroy # kinit
> -kt /etc/samba/samba.keytab cifs/`hostname` # ldapsearch -Y GSSAPI
> '(cn=Default SMB Group)'
>
> If the first one gives you a proper entry with
> ipaNTSecurityIdentifier and the second one does not return the same
> entry, you've broke ACIs.
>
> If both of them are failing, you need to re-run
> ipa-adtrust-install --add-sids to fix that.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJVr/+oAAoJEJFMz73A1+zr+BIP/2+77QZnSWSI38Wz47kUr6Uh
kOhv3gIAPlIq1ClJClbISOjwdpGBP0AUETsrbBixW7mMFswywDrLij7axbDh8MkO
8PLTH3Sv75foAUmAMH4ZIpB5NA8WNre5+gWuHAhLQnZBbedx0fm6ieuZvZBDHaFw
2rj+w8zkw0TWaf7ZmwTvawZwoy/OTfhkKLqfRvUfSxvpOeRl4AE/yUjje5rvacCK
tuYwCM8Y4B0aDqRbOjbL4hyWiIVAmV5PhaVa8Qu5AwbOXV2+G5Mt6MxxMRmWBrE2
+ZwATAlqqomsZ1FYOVKgMn1ylO/SzaNde3u5rvE4vdWzP8mr/+APNIcxmp27GnWr
cMGEOapdzehMVvVyW0FJ4gA+BxwhNzpGc+vo+98WeDq49yW/g3vwO/BQKqFkMaZW
HZM784EAxRAEXEiAJ9bB2bOGfY/EVrvWZVjDO10Hu99kIFqN8hbjfSKlqEH00fV7
ihqHJf0lcOU4lIBH5vUxRZSHfUjMCv6TySdWZSlblO5dtTGRjgpe7Kwj2pRgCo3P
PUagvJY4gkZ4ZbxIq+qkPHCNY90B+pGheVuJRfDA+Pl7bFY24/tbhnJ0kzuNQtYu
K8UlD4o34AlDQr60I0bxYkwprtJneVPfVkW1+6LUDWw4eNGf1zjXQH9Jl8uQcir4
Eq5AtMD/ef8TjxQwWaHr
=HkdM
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list