On ti, 03 maalis 2020, C T via FreeIPA-users wrote:
I am trying to set up a samba server as part of a freeipa domain. I'd like users on windows machines from two trusted AD domains to access shares on the server (both users and computers are in the trusted AD domains). I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain member", https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA) and built a couple of servers using CentOS 8; results are the same each time -- no worky. These servers integrate with Freeipa fine -- users from both trusted AD domains can SSH in etc. But errors are legion in samba. Both IPA and AD domains (and the trust relationshipts) have been in production for a while working fine so I'm pretty confident DNS is ok. Kerberos seems to be working fine too as I can kinit users in all domains OK from the samba box. I'm confident firewalls are not blocking anything. I'm thinking it's winbind that is the key problem, with it somehow not being able to auth to the AD domains, but I'm not experienced with Samba/winbind so I'm struggling after all day on it. Any guidance would be appreciated.
Your details are not enough. Could you please show exactly what you ran to set up the file server and what problems you see. No need to show Samba logs without that first. The instructions in RHEL 8 documentation (basically, have RHEL 8.1 machines for IPA master and IPA client, install and run ipa-client-samba tool and start smb/winbind services) should be enough. Anything else is not needed and should not be needed. Do not look into wbinfo output, it is misleading and is not really relevant here. Show how you set things up. We have SMB setup tested every week in upstream CI, for both IPA users and trusted AD users and there are no issues for quite some time: Fedora 31: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cb96c692-5cdd-11ea-b215-fa163ebb6b2b/report.html Fedora 30: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/68aeafbc-5b08-11ea-9ddf-fa163eea4ea4/report.html You can expand the reports to see detailed logs, https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_smb.py is the test suite that defines all those tests. Can you show how smbclient behaves when you are using it against the SMB server you set up? You can see expected use and expected output in the test reports above. Also, design documents for the integration are here: Domain Member: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-member.md Domain Controller: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-controller.md -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
