On pe, 21 loka 2022, Kees Bakker via FreeIPA-users wrote:
It turns out to be caused by missing SELinux permissions. As soon as I
set selinux to permissive it started to work.
Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore.
Still there are more things blocked by selinux, which I'm investigatign right
now.
I think this was fixed with
https://bugzilla.redhat.com/show_bug.cgi?id=2096521 in Fedora and CentOS
9 Stream.
Coming back to your original task. You should not use ipasam outside of
IPA trust controllers at all. Instead, please follow the RHEL IdM guide
which literally wants you to install ipa-client-samba package and run
ipa-client-samba installer to generate proper configuration for a Samba
server on IPA client. Have you tried that?
I am linking to RHEL IdM in RHEL 8 guide because RHEL 9 guides are not
fully published yet. It is the same story there:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm
-- Kees
On 17-10-2022 11:45, Kees Bakker via FreeIPA-users wrote:
Hi,
This weekend I installed CentOS 9 stream on a server that had CentOS 7 on it.
One on it's main tasks is to be a Samba server. I completely reinstalled and
set up Samba. I used ipasam before and it was working.
I copied the smb.conf from the old system. But now it gives me a fatal error.
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.614868, 0] ipa_sam.c:5174(pdb_init_ipasam)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: Failed to get base DN.
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.615001, 0]
../../source3/passdb/pdb_interface.c:181(make_pdb_method_name)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: pdb backend
ipasam:ldaps://rotte.example.com did not correctly init (error was
NT_STATUS_UNSUCCESSFUL)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.615111, 0] ../../lib/util/fault.c:172(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]:
===============================================================
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.615185, 0] ../../lib/util/fault.c:173(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: INTERNAL ERROR:
pdb_get_methods: failed to get pdb methods for backend
ipasam:ldaps://rotte.example.com
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in pid 271493
(4.16.4)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.615268, 0] ../../lib/util/fault.c:177(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: If you are running a
recent Samba version, and if you think this problem is not yet fixed in the
latest versions, please consider reporting this bug, see
https://wiki.samba.org/index.php/Bug_Reporting
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.615322, 0] ../../lib/util/fault.c:182(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]:
===============================================================
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.615373, 0] ../../lib/util/fault.c:183(smb_panic_log)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: PANIC (pid 271493):
pdb_get_methods: failed to get pdb methods for backend
ipasam:ldaps://rotte.example.com
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in 4.16.4
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.615940, 0] ../../lib/util/fault.c:287(log_stack_trace)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: BACKTRACE: 13 stack
frames:
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #0
/lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7f2c94aebd74]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #1
/lib64/libsamba-util.so.0(smb_panic+0xd) [0x7f2c94aebfcd]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #2
/lib64/libsamba-passdb.so.0(+0x1c6df) [0x7f2c94a8f6df]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #3
/lib64/libsamba-passdb.so.0(pdb_get_aliasinfo+0x16) [0x7f2c94a8ff86]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #4
/usr/libexec/samba/samba-dcerpcd(finalize_local_nt_token+0x16a) [0x559ea4bed72a]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #5
/usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x30c)
[0x559ea4bee03c]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #6
/usr/libexec/samba/samba-dcerpcd(+0x175f3) [0x559ea4bf05f3]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #7
/usr/libexec/samba/samba-dcerpcd(+0x1f42c) [0x559ea4bf842c]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #8
/usr/libexec/samba/samba-dcerpcd(init_guest_session_info+0x21) [0x559ea4beaa71]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #9
/usr/libexec/samba/samba-dcerpcd(main+0x54a) [0x559ea4be5dba]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #10
/lib64/libc.so.6(+0x3feb0) [0x7f2c94333eb0]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #11
/lib64/libc.so.6(__libc_start_main+0x80) [0x7f2c94333f60]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #12
/usr/libexec/samba/samba-dcerpcd(_start+0x25) [0x559ea4be78e5]
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17
09:23:21.616354, 0] ../../source3/lib/dumpcore.c:317(dump_core)
Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: coredump is handled
by helper binary specified at /proc/sys/kernel/core_pattern
The versions of some packages:
#############################################################
# dnf list samba\* ipa\*
Last metadata expiration check: 0:30:46 ago on Mon 17 Oct 2022 11:04:25 AM CEST.
Installed Packages
ipa-client.x86_64 4.10.0-6.el9 @appstream
ipa-client-common.noarch 4.10.0-6.el9
@appstream
ipa-client-samba.x86_64 4.10.0-6.el9
@appstream
ipa-common.noarch 4.10.0-6.el9 @appstream
ipa-healthcheck-core.noarch 0.9-3.el9
@appstream
ipa-selinux.noarch 4.10.0-6.el9
@appstream
ipa-server.x86_64 4.10.0-6.el9 @appstream
ipa-server-common.noarch 4.10.0-6.el9
@appstream
ipa-server-trust-ad.x86_64 4.10.0-6.el9
@appstream
samba.x86_64 4.16.4-101.el9 @baseos
samba-client.x86_64 4.16.4-101.el9
@appstream
samba-client-libs.x86_64 4.16.4-101.el9
@anaconda
samba-common.noarch 4.16.4-101.el9
@anaconda
samba-common-libs.x86_64 4.16.4-101.el9
@anaconda
samba-common-tools.x86_64 4.16.4-101.el9
@baseos
samba-libs.x86_64 4.16.4-101.el9 @baseos
samba-winbind.x86_64 4.16.4-101.el9 @baseos
samba-winbind-modules.x86_64 4.16.4-101.el9
@baseos
#############################################################
The smb.conf, the [global] part
#############################################################
# Global parameters
[global]
create krb5 conf = No
dedicated keytab file = /etc/samba/samba.keytab
disable spoolss = Yes
domain logons = Yes
domain master = Yes
kerberos method = dedicated keytab
ldap debug level = 99
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = no
ldap suffix = dc=example,dc=com
ldap user suffix = cn=users,cn=accounts
#ldap admin dn = uid=samba_admin,cn=users,cn=accounts,dc=example,dc=com
#log level = 99
log level = 1
log file = /var/log/samba/log.%m
max log size = 100000
passdb backend = ipasam:ldaps://rotte.example.com
realm = EXAMPLE.COM
registry shares = Yes
security = USER
workgroup = EXAMPLE
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
#rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
#############################################################
Unfortunately I couldn't really find much documentation about ipasam. Is this
still the best approach for a Samba server in a FreeIPA environment?
--
Kees
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
