[Freeipa-users] Error joining domain: tstream_npa_connect_recv to /run/samba/ncalrpc/np for pipe lsarpc

Alexander Bokovoy abokovoy at redhat.com
Sun Feb 28 09:03:24 UTC 2016 

----- Original Message -----
> Hi Alexander
> 
> Thanks for your reply...
> 
> The problem here was apparently SELinux, after setting:
> 
> setsebool -P samba_load_libgfapi 1
> setsebool -P samba_portmapper 1
On IPA master these should be enabled by ipa-adtrust-install.

On a client you are on your own. You can look at ipaserver/install/adtrustinstance.py to see what is being done there.

This also affects your cifs/bart.bolls.lan at BOLLS.LAN principal which Samba uses to authenticate against LDAP and perform changes in LDAP.
It is this principal that will be used to judge what can be created/modified in LDAP.

> The lsasd deamon was able to startup correctly...
> 
> Now I'm faced with another issue:
> 
> ACCESS DENIED (granted: 0x00000201; required: 0x00000010)
'mj' user lacks SeMachineAccountPrivilege
---------------------------
# net sam rights grant mj SeMachineAccountPrivilege
Granted SeMachineAccountPrivilege to BOLLS\mj
---------------------------

However, as I said, this might not be enough because it would only allow smbd to come to ipasam and ask creating a machine account.
To do so, ipasam would connect to LDAP with cifs/bart.bolls.lan at BOLLS.LAN principal and any operation which is denied to cifs/bart, will not pass.

> You say that freeipa with ipasam is not supported with NT4 domain... Is there
> a supported way to do this?? (Sambav4 AD??? Couldn't get it to work)...
Our envisioned way of doing it is eventually have Samba AD as your AD environment and then use cross-forest trust to IPA to establish relationship between the two.
NT4 domains are not really supported well by Windows 7+ either (see https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains for gory details).

> 
> My configuration is below...
> 
> Regards
> 
> Martin
> 
> [global]
>         workgroup = BOLLS
>         netbios name = BART
>         realm = BOLLS.LAN
>         kerberos method = dedicated keytab
>         dedicated keytab file = FILE:/etc/samba/samba.keytab
>         create krb5 conf = no
>         security = user
>         domain master = yes
>         domain logons = yes
>         log level = 3
>         max log size = 100000
>         log file = /var/log/samba/log.%m
>         passdb backend = ipasam:ldaps://lisa.bolls.lan
>         disable spoolss = yes
>         ldapsam:trusted = yes
>         ldap ssl = off
>         ldap suffix = dc=bolls,dc=lan
>         ldap user suffix = cn=users,cn=accounts
>         ldap group suffix = cn=groups,cn=accounts
>         ldap machine suffix = cn=computers,cn=accounts
>         rpc_server:epmapper = external
>         rpc_server:lsarpc = external
>         rpc_server:lsass = external
>         rpc_server:lsasd = external
>         rpc_server:samr = external
>         rpc_server:netlogon = external
>         rpc_server:tcpip = yes
>         rpc_daemon:epmd = fork
>         rpc_daemon:lsasd = fork
>         logon path = \\%L\Profiles\%U
>         logon drive = H:
>         logon home = \\%L\%U
> 
> [homes]
>         comment = Home Directories
>         valid users = %S
>         read only = No
>         browseable = No
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printer admin = root, mj
>         create mask = 0600
>         guest ok = Yes
>         printable = Yes
>         browseable = No
> [print$]
>         comment = Printer Drivers Share
>         path = /var/lib/samba/drivers
>         write list = mj, root
>         printer admin = mj, root
> [netlogon]
>         comment = Network Logon Service
>         path = /var/lib/samba/netlogon
>         admin users = root, mj
>         guest ok = Yes
>         browseable = No
> # For profiles to work, create a user directory under the path
> # shown. i.e., mkdir -p /var/lib/samba/profiles/mj
>         [Profiles]
>         comment = Roaming Profile Share
>         path = /var/lib/samba/profiles
>         read only = No
>         profile acls = Yes
> 
> 
> ----- Original meddelelse -----
> Fra: "Alexander Bokovoy" <abokovoy at redhat.com>
> Til: "mj" <mj at casalogic.dk>
> Cc: "freeipa-users" <freeipa-users at redhat.com>
> Sendt: lørdag, 27. februar 2016 15:17:14
> Emne: Re: [Freeipa-users] Error joining domain: tstream_npa_connect_recv to
> /run/samba/ncalrpc/np for pipe lsarpc
> 
> On Sat, 27 Feb 2016, Martin Juhl wrote:
> >Hi guys
> > 
> >I have setup a NT4 Domain, using Freeipa as a ipasam backend...
> > 
> >Normal user authentication and shares seems to work, but i'm getting an
> >error when trying to join a Windows 7 machine to the domain (see
> >below)...
> > 
> >To me it seems to be the same error as here:
> >https://bugzilla.samba.org/show_bug.cgi?id=11245....
> > 
> >Does anyone know if this patch have been implemented in the freeipa in
> >CentOS??:
> This should be fixed in RHEL 7 after rebase to 4.2.3, according to
> upstream git:
> 
> $ git tag --contains 9a86ca9779c7be9cd6e2f6f7c18233d1c9883bef | head -1
> samba-4.2.3
> 
> RHEL 7 had 4.2.3 coming as
> * Tue Jul 14 2015 Andreas Schneider <asn at redhat.com> - 4.2.3-1
> - related: #1196140 - Rebase to version 4.2.3
> - resolves: #1237036 - Fix DCERPC PDU calculation
> - resolves: #1237039 - Fix winbind request cancellation
> - resolves: #1223981 - Fix possible segfault with smbX protocol setting
> 
> >Or is this another issue????
> Most likely it is. We do not support using FreeIPA via ipasam as NT4
> domain controller and this mode was never tested. I don't know how
> exactly you run ipasam configuration.
> 
> --
> / Alexander Bokovoy
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list