[Freeipa-users] Samba Server setup

Alexander Bokovoy abokovoy at redhat.com
Fri Sep 16 05:04:35 UTC 2016 

On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>On 9/15/16, 1:06 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
>    On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>    >All,
>    >  I’m working on setting up Samba to serve files from a server attached
>    >  to our IPA domain. I followed the directions in
>    >  https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
>    >  Everything seems to work and I can access the files from another RHEL
>    >  server attached to the same domain using a Kerberos ticket from a
>    >  user from the trusted AD domain. However, I can’t access this share
>    >  from a windows client that is also attached to the trusted AD domain.
>    >
>    >My smb.conf is as follows:
>    >[global]
>    >        workgroup = IPA
>    >        realm = IPA.DOMAIN
>    >        kerberos method = dedicated keytab
>    >        dedicated keytab file = FILE:/etc/samba/samba.keytab
>    >        log file = /var/log/samba/log.%m
>    >        log level = 3
>    >        security = ads
>    >        load printers = no
>    >        disable spoolss = yes
>    >        map to guest = Never
>    >        restrict anonymous = 2
>    >
>    >[spacetest]
>    >        path = /var/www
>    >        writable = yes
>    >        browsable = yes
>    >
>    >I put the keytab in place from the cifs service from the IPA server.
>    >
>    >I feel like I’m missing something small, but I can’t seem to find it.
>    >Logs from samba are here: http://pastebin.com/aMDXfR78
>    These logs show that your Windows client did not use Kerberos but tried
>    to authenticate with password using NTLMSSP. This is not supported yet,
>    as written on the page you used for the setup guidance.
>
>    You need to find out why Windows client didn't use Kerberos.
>    Is your trust to AD really working?
>
>We’re authenticating AD users on the hosts that are connected to IPA.
>We’re able to create external groups and associate them with internal
>groups for HBAC and sudoers rules. Is there something else I should
>check to see if the trust is working? It’s entirely possible I missed
>something somewhere in the setup, but I don’t think I did.
Start by listing your configuration. Show:
 - ipa service-show cifs/samba.server.host (using FQDN hostname)

 - ipa trust-show ad.domain

 - kinit user at AD.DOMAIN ;  KRB5_TRACE=/dev/stderr smbclient -k //samba.server.host/share

 - Try to access \\samba.server.host\share from Windows host and then
   show 'klist' in the Windows shell, or alternatively,

 - if you are using Windows Server 2012 or later, show output of
   'klist get cifs/samba.server.host at IPA.DOMAIN'

 - show any lines related to use user at AD.DOMAIN and
   cifs/samba.server.host from /var/log/krb5kdc.log on IPA master

You can replace actual hostnames/realm names/IP addresses by something more generic
in the output when sending to the list, but please do it consistently.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list