On Срд, 28 лют 2024, Thomas Handler via FreeIPA-users wrote:
Hi all, I am facing a problem I got stuck upon. We have the following setup: +-----------+ | | | AD | | | +-----------+ +--------------+ ^ | +----------+ | ums012 | | | | IPA | +--------------+ ^ | +--------------+ | | | | | ums029 | | | | | | smbclient | | +---+----------+ +------+--------+ | | | | | ums025 | | | |<------------------+ | samba | +---------------+ IPA has a trust established with AD which is working fine. Active Directory users can logon on Linux machines which are connected to IPA, `id some-ad-user` properly shows the AD groups. ums012 and ums025 are running RHEL 9.3, ums029 is running RHEL 8.9. ums029 is used as a test client via smbclient. ums025 was setup following the instructions in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm Setup worked fine, all steps went ok. But when i switch over to ums029 and try to verify with an ad user I get kinit <ad user> smbclient -L ums025.idm.example.com -U <ad user> --use-kerberos=required Password for [<ad user>@EXAMPLE.COM]: gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/ums025.idm.example.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER session setup failed: NT_STATUS_INVALID_PARAMETER
Can you get more details? It would help to collect debug logs from the samba server as well as the client at the same time, with 'log level = 10' in smb.conf. Use something like the following on the client: kinit -c ./file.ccache <ad user> KRB5_TRACE=/dev/stderr smbclient -d10 -L ... -U <ad user> --use-kerberos=required --use-krb5-ccache=./file.ccache This will collect information from the client side. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
