[Freeipa-users] Error joining domain: tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc
Martin Juhl
mj at casalogic.dk
Sun Feb 28 07:24:43 UTC 2016
Hi Alexander
Thanks for your reply...
The problem here was apparently SELinux, after setting:
setsebool -P samba_load_libgfapi 1
setsebool -P samba_portmapper 1
The lsasd deamon was able to startup correctly...
Now I'm faced with another issue:
ACCESS DENIED (granted: 0x00000201; required: 0x00000010)
i'm trying to use the user "mj" to do the join:
[root at bart ~]# id mj
uid=1935800001(mj) gid=1935800001(mj) grupper=1935800001(mj),1935800004(vpn),1935800000(admins),1935800008(ntadmins)
[root at bart ~]# net groupmap list
Domain Users (S-1-5-21-3189138339-1730592290-4215248117-513) -> ntusers
Domain Admins (S-1-5-21-3189138339-1730592290-4215248117-512) -> ntadmins
Domain Guests (S-1-5-21-3189138339-1730592290-4215248117-514) -> nobody
Any thoughts???
You say that freeipa with ipasam is not supported with NT4 domain... Is there a supported way to do this?? (Sambav4 AD??? Couldn't get it to work)...
My configuration is below...
Regards
Martin
[global]
workgroup = BOLLS
netbios name = BART
realm = BOLLS.LAN
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 3
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldaps://lisa.bolls.lan
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=bolls,dc=lan
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = root, mj
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No
[print$]
comment = Printer Drivers Share
path = /var/lib/samba/drivers
write list = mj, root
printer admin = mj, root
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root, mj
guest ok = Yes
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/mj
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
----- Original meddelelse -----
Fra: "Alexander Bokovoy" <abokovoy at redhat.com>
Til: "mj" <mj at casalogic.dk>
Cc: "freeipa-users" <freeipa-users at redhat.com>
Sendt: lørdag, 27. februar 2016 15:17:14
Emne: Re: [Freeipa-users] Error joining domain: tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc
On Sat, 27 Feb 2016, Martin Juhl wrote:
>Hi guys
>
>I have setup a NT4 Domain, using Freeipa as a ipasam backend...
>
>Normal user authentication and shares seems to work, but i'm getting an
>error when trying to join a Windows 7 machine to the domain (see
>below)...
>
>To me it seems to be the same error as here: https://bugzilla.samba.org/show_bug.cgi?id=11245....
>
>Does anyone know if this patch have been implemented in the freeipa in CentOS??:
This should be fixed in RHEL 7 after rebase to 4.2.3, according to
upstream git:
$ git tag --contains 9a86ca9779c7be9cd6e2f6f7c18233d1c9883bef | head -1
samba-4.2.3
RHEL 7 had 4.2.3 coming as
* Tue Jul 14 2015 Andreas Schneider <asn at redhat.com> - 4.2.3-1
- related: #1196140 - Rebase to version 4.2.3
- resolves: #1237036 - Fix DCERPC PDU calculation
- resolves: #1237039 - Fix winbind request cancellation
- resolves: #1223981 - Fix possible segfault with smbX protocol setting
>Or is this another issue????
Most likely it is. We do not support using FreeIPA via ipasam as NT4
domain controller and this mode was never tested. I don't know how
exactly you run ipasam configuration.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list