[Freeipa-users] Samba Server setup

Brook, Andy [CRI] abrook at bsd.uchicago.edu
Wed Sep 21 13:52:54 UTC 2016 

On 9/16/16, 12:02 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:

    On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
    >    You can replace actual hostnames/realm names/IP addresses by something more generic
    >    in the output when sending to the list, but please do it consistently.
    >
    >I’m sorry. I thought I had been consistent when making changes, but
    >from your response, it looks like I wasn’t. I’m sorry about that. I got
    >yelled at by our security team last time we sent logs to a public list
    >that had any type of identifiable information in them, so it’s sort of
    >a new process for me. I think I have it down now.
    >
    >The results of the commands are here: http://pastebin.com/PRwr7wv6
    So IPA side works fine -- on IPA client you can kinit as AD user and
    then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
    request a service ticket to cifs/... service. That's good.
    
    You need to identify what happens on AD side. A possible issue is that
    name suffix routing to IPA domain is disabled.
    
    Can you provide output of netdom.exe run on Windows side:
    
      netdom trust addom.domain /namesuffixes: ipa.domain
    
    You should get something like example 28 on the page
    https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx

Thank you for this. I went to run the command and kept getting an “Incorrect parameter” error. After that I talked to one of our Active Directory admins and he mentioned that we are working on resolving a disjoint namespace error on addom. I don’t understand enough about it, but do know that it can cause issues with Kerberos authentication across domains. That should get fixed soon. Once that gets fixed, I’ll test again. 

I have one more related question. The instruction page states that NTLMSSP authentication isn’t working as of yet, as well as you mentioned it earlier in this thread. Is there a bug or feature request that is tracking that? 

Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of Chicago
T: 773-834-0458 | http://cri.uchicago.edu



********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 
********************************************************************************

More information about the Freeipa-users mailing list