[Freeipa-users] Samba Server setup

Brook, Andy [CRI] abrook at bsd.uchicago.edu
Fri Sep 16 14:47:20 UTC 2016 

On 9/16/16, 12:04 AM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:

    On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
    >On 9/15/16, 1:06 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
    >
    >    On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
    >    >All,
    >    >  I’m working on setting up Samba to serve files from a server attached
    >    >  to our IPA domain. I followed the directions in
    >    >  https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
    >    >  Everything seems to work and I can access the files from another RHEL
    >    >  server attached to the same domain using a Kerberos ticket from a
    >    >  user from the trusted AD domain. However, I can’t access this share
    >    >  from a windows client that is also attached to the trusted AD domain.
    >    >
    >    >My smb.conf is as follows:
    >    >[global]
    >    >        workgroup = IPA
    >    >        realm = IPA.DOMAIN
    >    >        kerberos method = dedicated keytab
    >    >        dedicated keytab file = FILE:/etc/samba/samba.keytab
    >    >        log file = /var/log/samba/log.%m
    >    >        log level = 3
    >    >        security = ads
    >    >        load printers = no
    >    >        disable spoolss = yes
    >    >        map to guest = Never
    >    >        restrict anonymous = 2
    >    >
    >    >[spacetest]
    >    >        path = /var/www
    >    >        writable = yes
    >    >        browsable = yes
    >    >
    >    >I put the keytab in place from the cifs service from the IPA server.
    >    >
    >    >I feel like I’m missing something small, but I can’t seem to find it.
    >    >Logs from samba are here: http://pastebin.com/aMDXfR78
    >    These logs show that your Windows client did not use Kerberos but tried
    >    to authenticate with password using NTLMSSP. This is not supported yet,
    >    as written on the page you used for the setup guidance.
    >
    >    You need to find out why Windows client didn't use Kerberos.
    >    Is your trust to AD really working?
    >
    >We’re authenticating AD users on the hosts that are connected to IPA.
    >We’re able to create external groups and associate them with internal
    >groups for HBAC and sudoers rules. Is there something else I should
    >check to see if the trust is working? It’s entirely possible I missed
    >something somewhere in the setup, but I don’t think I did.
    Start by listing your configuration. Show:
     - ipa service-show cifs/samba.server.host (using FQDN hostname)
    
     - ipa trust-show ad.domain
    
     - kinit user at AD.DOMAIN ;  KRB5_TRACE=/dev/stderr smbclient -k //samba.server.host/share
    
     - Try to access \\samba.server.host\share from Windows host and then
       show 'klist' in the Windows shell, or alternatively,
    
     - if you are using Windows Server 2012 or later, show output of
       'klist get cifs/samba.server.host at IPA.DOMAIN'
    
     - show any lines related to use user at AD.DOMAIN and
       cifs/samba.server.host from /var/log/krb5kdc.log on IPA master
    
    You can replace actual hostnames/realm names/IP addresses by something more generic
    in the output when sending to the list, but please do it consistently.

I’m sorry. I thought I had been consistent when making changes, but from your response, it looks like I wasn’t. I’m sorry about that. I got yelled at by our security team last time we sent logs to a public list that had any type of identifiable information in them, so it’s sort of a new process for me. I think I have it down now. 

The results of the commands are here: http://pastebin.com/PRwr7wv6


Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of Chicago
T: 773-834-0458 | http://cri.uchicago.edu



********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 
********************************************************************************

More information about the Freeipa-users mailing list