[Freeipa-users] Samba Server setup
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 16 05:04:35 UTC 2016
On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>On 9/15/16, 1:06 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
> On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
> >All,
> > I’m working on setting up Samba to serve files from a server attached
> > to our IPA domain. I followed the directions in
> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
> > Everything seems to work and I can access the files from another RHEL
> > server attached to the same domain using a Kerberos ticket from a
> > user from the trusted AD domain. However, I can’t access this share
> > from a windows client that is also attached to the trusted AD domain.
> >
> >My smb.conf is as follows:
> >[global]
> > workgroup = IPA
> > realm = IPA.DOMAIN
> > kerberos method = dedicated keytab
> > dedicated keytab file = FILE:/etc/samba/samba.keytab
> > log file = /var/log/samba/log.%m
> > log level = 3
> > security = ads
> > load printers = no
> > disable spoolss = yes
> > map to guest = Never
> > restrict anonymous = 2
> >
> >[spacetest]
> > path = /var/www
> > writable = yes
> > browsable = yes
> >
> >I put the keytab in place from the cifs service from the IPA server.
> >
> >I feel like I’m missing something small, but I can’t seem to find it.
> >Logs from samba are here: http://pastebin.com/aMDXfR78
> These logs show that your Windows client did not use Kerberos but tried
> to authenticate with password using NTLMSSP. This is not supported yet,
> as written on the page you used for the setup guidance.
>
> You need to find out why Windows client didn't use Kerberos.
> Is your trust to AD really working?
>
>We’re authenticating AD users on the hosts that are connected to IPA.
>We’re able to create external groups and associate them with internal
>groups for HBAC and sudoers rules. Is there something else I should
>check to see if the trust is working? It’s entirely possible I missed
>something somewhere in the setup, but I don’t think I did.
Start by listing your configuration. Show:
- ipa service-show cifs/samba.server.host (using FQDN hostname)
- ipa trust-show ad.domain
- kinit user at AD.DOMAIN ; KRB5_TRACE=/dev/stderr smbclient -k //samba.server.host/share
- Try to access \\samba.server.host\share from Windows host and then
show 'klist' in the Windows shell, or alternatively,
- if you are using Windows Server 2012 or later, show output of
'klist get cifs/samba.server.host at IPA.DOMAIN'
- show any lines related to use user at AD.DOMAIN and
cifs/samba.server.host from /var/log/krb5kdc.log on IPA master
You can replace actual hostnames/realm names/IP addresses by something more generic
in the output when sending to the list, but please do it consistently.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list