Hello everyone,
I am attempting to setup a samba file server that uses IPA as a proxy to authentication AD users. I am using the document below as a template but its not working as currently documented. I am wondering if something has changed on the code since that time but the doc hasn't had any update. https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA For the samba client, this is the version of binaries that I am using: [root@samba4 ~]# rpm -qa | grep samba samba-common-tools-4.7.1-6.el7.x86_64 samba-common-libs-4.7.1-6.el7.x86_64 samba-common-4.7.1-6.el7.noarch samba-4.7.1-6.el7.x86_64 samba-client-libs-4.7.1-6.el7.x86_64 samba-client-4.7.1-6.el7.x86_64 samba-libs-4.7.1-6.el7.x86_64 For IPA server, this is the version I am running: ipa-server-4.5.4-10.el7_5.1.x86_64 There is a trust relationship between the IPA and the Active directory. The AD is on corp.example.com domain and the IPA is on eng.example.com. When I point any of the IPA clients to \\samba4.eng.example.com, all works as expected. However, when I point any of the AD clients (Windows 10) to \\samba4.eng.example.com, I am not having any joy. After parsing the logs, the section below looks like the most relevant part of the logs. What would cause this issue? Any pointer on how to overcome it would be highly appreciated. Another odd thing is, if I enroll a RHEL 7 system to AD, and then attempt to browse the samba share, everything works fine. I have shared the full logs on the following link too. https://pastebin.com/wrycv1UR Regards, William [2018/06/13 13:42:20.963867, 5, pid=14330, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech) Starting GENSEC mechanism spnego [2018/06/13 13:42:20.963942, 5, pid=14330, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:739(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2018/06/13 13:42:20.964334, 10, pid=14330, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:1326(smb_krb5_kt_open_relative) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2018/06/13 13:42:20.965559, 10, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3011(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[64] dyn[yes:96] at ../source3/smbd/smb2_negprot.c:657 [2018/06/13 13:42:20.965625, 10, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:923(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 512/512, total granted/max/low/range 1/8192/2/1 [2018/06/13 13:42:35.997960, 10, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1080(smbd_server_connection_terminate_ex) smbd_server_connection_terminate_ex: conn[ipv4:192.168.11.108:61944] reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3935 [2018/06/13 13:42:35.998102, 4, pid=14330, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/06/13 13:42:35.998142, 5, pid=14330, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2018/06/13 13:42:35.998174, 5, pid=14330, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:651(debug_unix_user_token) UNIX token of user 0 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5C5ECQ6BSTDTGDK646KQYN5AJYL3OBFB/