[Freeipa-users] a bit off topic- samba + sssd => AD
lejeczek
peljasz at yahoo.co.uk
Fri Jun 3 15:45:53 UTC 2016
On 03/06/16 15:11, Sumit Bose wrote:
> On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:
>> hi users,
>>
>> I have a samba and sssd trying AD, it's 7.2 Linux.
>>
>> That linux box is via sssd and samba talking to AD DC and win10 clients get
>> to samba shares, getent pass sees AD users, samba can get to DC's shares and
>> win10's clients shares, all good except...
>>
>> smbclient @samba, in other words - to itself - fails
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> and with smbclient -k
>>
>> gss_init_sec_context failed with [Unspecified GSS failure. Minor code may
>> provide more information: Server cifs/swir.private.dom at PRIVATE.DOM not found
>> in Kerberos database]
> Which realm is PRIVATE.DOM? What does
>
> $ klist -k -t /etc/krb5.swir.ccnr.keytab
>
> return?
$ klist -k -t /etc/krb5.swir.ccnr.keytab
Keytab name: FILE:/etc/krb5.swir.ccnr.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM
and swir runs samba, but I'm trying to sssd together AD &
IPA, I should have mentioned.
From DNS perspective it's AD = ccnr.dom and IPA =
private.ccnr.dom, everything seems to resolve OK, both @AD
and @IPA ends.
And my sssd.conf:
------------
ipa_hostname = swir.private.ccnr.dom
chpass_provider = ipa
ipa_server = swir.private.ccnr.dom
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#krb5_keytab = /etc/krb5.private.ccnr.keytab
[domain/ccnr.dom]
ad_domain = ccnr.dom
krb5_realm = CCNR.DOM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad
krb5_keytab = /etc/krb5.swir.ccnr.keytab
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = private.ccnr.dom, ccnr.dom
[nss]
memcache_timeout = 600
homedir_substring = /home
--------------
AD DC (to which shares smbclient @swir can get to) shows:
C:\Users\Administrator.CCNR-WINSRV1>setspn -L swir
Registered ServicePrincipalNames for
CN=SWIR,OU=private,DC=ccnr,DC=dom:
cifs/swir.private.ccnr.dom at CCNR.DOM
host/swir.private.ccnr.dom
host/swir.private.ccnr.dom at CCNR.DOM
HOST/SWIR
like I said, getnet and id see both domains
If I
$ kinit me at CCNR.DOM
$ klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xoHU5iW
Default principal: me at CCNR.DOM
Valid starting Expires Service principal
03/06/16 16:37:06 04/06/16 02:37:06 krbtgt/CCNR.DOM at CCNR.DOM
$ smbclient -L //$(hostname) -U me at CCNR.DOM -k
gss_init_sec_context failed with [Unspecified GSS failure.
Minor code may provide more information: Server
cifs/swir.private.ccnr.dom at PRIVATE.CCNR.DOM not found in
Kerberos database]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request:
NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
what I see in last one above is -
cifs/swir.private.ccnr.dom at PRIVATE.CCNR.DOM
I've just realized, for some reason, and maybe a valid one,
smbclient don't do - cifs/swir.private.ccnr.dom at CCNR.DOM
which is in the keytabs.
but smbclient fails without -k which I understand should
then use a password and should be sufficient to authenticate.
many thanks Sumit,
L.
> bye,
> Sumit
>
>> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
>> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
>> session setup failed: NT_STATUS_INTERNAL_ERROR
>>
>> here is a snippet from smb.conf which I thought has relevance, I set it up
>> following samba sssd wiki.
>>
>> security = ads
>> realm = CCNR.DOM
>> workgroup = CCNR
>>
>> kerberos method = secrets and keytab
>> dedicated keytab file = /etc/krb5.swir.ccnr.keytab
>> client signing = auto
>> client use spnego = yes
>> encrypt passwords = yes
>> password server = ccnr-winsrv1.ccnr.dom
>> netbios name = SWIR
>>
>> template shell = /bin/bash
>> template homedir = /home/%D/%U
>>
>> preferred master = no
>> dns proxy = no
>> wins server = ccnr-winsrv1.ccnr.dom
>> wins proxy = no
>>
>> inherit acls = Yes
>> map acl inherit = Yes
>> acl group control = yes
>>
>>
>> and in samba log:
>>
>> domain_client_validate: Domain password server not available.
>>
>> I've tried samba user list, dead silence.
>>
>> many thanks,
>>
>> L.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list