On Чцв, 29 лют 2024, Thomas Handler wrote:
Dear Alexander,
thank you for your assistance this is greatly appreciated.
Regarding the logs - the got quite big, not sure if I can attach them
here as a .tgz as I have 972k uncompressed.
You can send to me directly or upload somewhere and send a link.
But on the client I got an error message that might explain he problem
better (I have obfuscated the domain but not IP addresses):
smb_gss_krb5_import_cred ccache[KCM:1624200005] failed with [Unspecified GSS
failure. Minor code may provide more information: No credentials cache found]
-the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
kinit for the domain user with the credential file worked fine, as the
attempt logged below was done with my user I also retried the same
kinit/smbclient call as root with the same result.
Thank you,
best regards
Thomas
—— log for smbclient —
$ KRB5_TRACE=/dev/stderr smbclient -d10 -L ums025.example.com -U
[email protected] --use-kerberos=required --use-krb5-ccache=./file.ccache
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
…
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = SAMBA
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter printing = cups
doing parameter printcap name = cups
doing parameter load printers = yes
doing parameter cups options = raw
doing parameter include = /etc/samba/usershares.conf
Can't find include file /etc/samba/usershares.conf
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
netmask=255.255.255.0
added interface ens192 ip=10.130.103.38 bcast=10.130.103.255
netmask=255.255.255.0
Client started (version 4.18.6).
Opening cache file at /var/lib/samba/lock/gencache.tdb
tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file
/var/lib/samba/lock/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/tha/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up ums025.example.com#20 (sitename (null))
gencache_set_data_blob: Adding cache entry with key=[NBT/UMS025.EXAMPLE.COM#20]
and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1709223544 seconds in the past)
namecache_fetch: no entry for ums025.example.com#20 found.
resolve_hosts: Attempting host lookup for name ums025.example.com<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for ums025.example.com#20: 10.130.103.25
gencache_set_data_blob: Adding cache entry with key=[NBT/UMS025.EXAMPLE.COM#20]
and timeout=[Thu Feb 29 05:30:04 PM 2024 CET] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 10.130.103.25
Connecting to 10.130.103.25 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1,
TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0,
IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=367360,
SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1,
TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[ums025.example.com]
cli_session_setup_spnego_send: Connect to ums025.example.com as
[email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[KCM:1624200005] failed with [Unspecified GSS
failure. Minor code may provide more information: No credentials cache found]
-the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
gensec_update_send: spnego[0x55f8e36a9910]: subreq: 0x55f8e36e5de0
gensec_update_done: spnego[0x55f8e36a9910]: NT_STATUS_INVALID_PARAMETER
tevent_req[0x55f8e36e5de0/../../auth/gensec/spnego.c:1632]: state[3]
error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct
gensec_spnego_update_state (0x55f8e36e5fa0)] timer[(nil)]
finish[../../auth/gensec/spnego.c:1947]
SPNEGO login failed: An invalid parameter was passed to a service or function.
session setup failed: NT_STATUS_INVALID_PARAMETER
-----Original Message-----
From: Alexander Bokovoy <[email protected]>
Reply: Alexander Bokovoy <[email protected]>
Date: 29. February 2024 at 14:11:30
To: FreeIPA users list <[email protected]>
Cc: Thomas Handler <[email protected]>
Subject: Re: [Freeipa-users] problem allowing Windows Active Directory users
to access SMB shares on IPA client machine (IPA has trust with AD)
On Срд, 28 лют 2024, Thomas Handler via FreeIPA-users wrote:
>
>Hi all,
>
>I am facing a problem I got stuck upon.
>
>
>We have the following setup:
>
> +-----------+
> | |
> | AD |
> | |
> +-----------+
>+--------------+ ^
>| +----------+
>| ums012 |
>| |
>| IPA |
>+--------------+
> ^
> | +--------------+
> | | |
> | | ums029 |
> | | |
> | | smbclient |
> | +---+----------+
>+------+--------+ |
>| | |
>| ums025 | |
>| |<------------------+
>| samba |
>+---------------+
>
>IPA has a trust established with AD which is working fine. Active Directory
users can
logon on Linux machines which are connected to IPA, `id some-ad-user` properly
shows
the AD groups.
>
>ums012 and ums025 are running RHEL 9.3, ums029 is running RHEL 8.9.
>
>ums029 is used as a test client via smbclient.
>
>
>ums025 was setup following the instructions in
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm
>
>Setup worked fine, all steps went ok.
>
>But when i switch over to ums029 and try to verify with an ad user I get
>
>
>kinit
>smbclient -L ums025.idm.example.com -U --use-kerberos=required
>Password for [@EXAMPLE.COM]:
>gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT
for cifs/ums025.idm.example.com failed (next[(null)]):
NT_STATUS_INVALID_PARAMETER
>session setup failed: NT_STATUS_INVALID_PARAMETER
Can you get more details?
It would help to collect debug logs from the samba server as well as the
client at the same time, with 'log level = 10' in smb.conf.
Use something like the following on the client:
kinit -c ./file.ccache
KRB5_TRACE=/dev/stderr smbclient -d10 -L ... -U --use-kerberos=required
--use-krb5-ccache=./file.ccache
This will collect information from the client side.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
