On 9/16/16, 12:04 AM, "Alexander Bokovoy" <[email protected]> wrote:
On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>On 9/15/16, 1:06 PM, "Alexander Bokovoy" <[email protected]> wrote:
>
> On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
> >All,
> > I’m working on setting up Samba to serve files from a server
attached
> > to our IPA domain. I followed the directions in
> >
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
> > Everything seems to work and I can access the files from another
RHEL
> > server attached to the same domain using a Kerberos ticket from a
> > user from the trusted AD domain. However, I can’t access this share
> > from a windows client that is also attached to the trusted AD
domain.
> >
> >My smb.conf is as follows:
> >[global]
> > workgroup = IPA
> > realm = IPA.DOMAIN
> > kerberos method = dedicated keytab
> > dedicated keytab file = FILE:/etc/samba/samba.keytab
> > log file = /var/log/samba/log.%m
> > log level = 3
> > security = ads
> > load printers = no
> > disable spoolss = yes
> > map to guest = Never
> > restrict anonymous = 2
> >
> >[spacetest]
> > path = /var/www
> > writable = yes
> > browsable = yes
> >
> >I put the keytab in place from the cifs service from the IPA server.
> >
> >I feel like I’m missing something small, but I can’t seem to find it.
> >Logs from samba are here: http://pastebin.com/aMDXfR78
> These logs show that your Windows client did not use Kerberos but tried
> to authenticate with password using NTLMSSP. This is not supported yet,
> as written on the page you used for the setup guidance.
>
> You need to find out why Windows client didn't use Kerberos.
> Is your trust to AD really working?
>
>We’re authenticating AD users on the hosts that are connected to IPA.
>We’re able to create external groups and associate them with internal
>groups for HBAC and sudoers rules. Is there something else I should
>check to see if the trust is working? It’s entirely possible I missed
>something somewhere in the setup, but I don’t think I did.
Start by listing your configuration. Show:
- ipa service-show cifs/samba.server.host (using FQDN hostname)
- ipa trust-show ad.domain
- kinit [email protected] ; KRB5_TRACE=/dev/stderr smbclient -k
//samba.server.host/share
- Try to access \\samba.server.host\share from Windows host and then
show 'klist' in the Windows shell, or alternatively,
- if you are using Windows Server 2012 or later, show output of
'klist get cifs/[email protected]'
- show any lines related to use [email protected] and
cifs/samba.server.host from /var/log/krb5kdc.log on IPA master
You can replace actual hostnames/realm names/IP addresses by something more
generic
in the output when sending to the list, but please do it consistently.
I’m sorry. I thought I had been consistent when making changes, but from your
response, it looks like I wasn’t. I’m sorry about that. I got yelled at by our
security team last time we sent logs to a public list that had any type of
identifiable information in them, so it’s sort of a new process for me. I think
I have it down now.
The results of the commands are here: http://pastebin.com/PRwr7wv6
Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of
Chicago
T: 773-834-0458 | http://cri.uchicago.edu
********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please
notify the sender and destroy all copies of the transmittal.
Thank you
University of Chicago Medicine and Biological Sciences
********************************************************************************
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
