Dear Alexander, thank you for your great support, I have sent the logs directly to you by e-mail.
Best regards, Thomas -----Original Message----- From: Alexander Bokovoy <[email protected]> Reply: Alexander Bokovoy <[email protected]> Date: 1. March 2024 at 08:29:34 To: Thomas Handler <[email protected]> Cc: FreeIPA users list <[email protected]> Subject: Re: [Freeipa-users] problem allowing Windows Active Directory users to access SMB shares on IPA client machine (IPA has trust with AD) > On Чцв, 29 лют 2024, Thomas Handler wrote: > >Dear Alexander, > > > >thank you for your assistance this is greatly appreciated. > > > >Regarding the logs - the got quite big, not sure if I can attach them > >here as a .tgz as I have 972k uncompressed. > > You can send to me directly or upload somewhere and send a link. > > > > > > >But on the client I got an error message that might explain he problem > >better (I have obfuscated the domain but not IP addresses): > > > >smb_gss_krb5_import_cred ccache[KCM:1624200005] failed with [Unspecified GSS > > > failure. Minor code may provide more information: No credentials cache found] > -the > caller may retry after a kinit. > >Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR > >gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype > >in > NEG_TOKEN_INIT > > > >kinit for the domain user with the credential file worked fine, as the > >attempt logged below was done with my user I also retried the same > >kinit/smbclient call as root with the same result. > > > > > >Thank you, > > > >best regards > >Thomas > > > > > >—— log for smbclient — > > > >$ KRB5_TRACE=/dev/stderr smbclient -d10 -L ums025.example.com -U > >[email protected] > --use-kerberos=required --use-krb5-ccache=./file.ccache > >Initialising global parameters > >rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > >INFO: Current debug levels: > > all: 10 > > tdb: 10 > > printdrivers: 10 > > lanman: 10 > > smb: 10 > > rpc_parse: 10 > >… > > dsdb_group_audit: 10 > > dsdb_group_json_audit: 10 > >Processing section "[global]" > >doing parameter workgroup = SAMBA > >doing parameter security = user > >doing parameter passdb backend = tdbsam > >doing parameter printing = cups > >doing parameter printcap name = cups > >doing parameter load printers = yes > >doing parameter cups options = raw > >doing parameter include = /etc/samba/usershares.conf > >Can't find include file /etc/samba/usershares.conf > >pm_process() returned Yes > >lp_servicenumber: couldn't find homes > >added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 > >netmask=255.255.255.0 > >added interface ens192 ip=10.130.103.38 bcast=10.130.103.255 > >netmask=255.255.255.0 > >Client started (version 4.18.6). > >Opening cache file at /var/lib/samba/lock/gencache.tdb > >tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file > >/var/lib/samba/lock/gencache.tdb: > Permission denied > >gencache_init: Opening user cache file /home/tha/.cache/samba/gencache.tdb. > >sitename_fetch: No stored sitename for realm '' > >internal_resolve_name: looking up ums025.example.com#20 (sitename (null)) > >gencache_set_data_blob: Adding cache entry with > >key=[NBT/UMS025.EXAMPLE.COM#20] > and timeout=[Thu Jan 1 01:00:00 AM 1970 CET] (-1709223544 seconds in the past) > >namecache_fetch: no entry for ums025.example.com#20 found. > >resolve_hosts: Attempting host lookup for name ums025.example.com<0x20> > >remove_duplicate_addrs2: looking for duplicate address/port pairs > >namecache_store: storing 1 address for ums025.example.com#20: 10.130.103.25 > >gencache_set_data_blob: Adding cache entry with > >key=[NBT/UMS025.EXAMPLE.COM#20] > and timeout=[Thu Feb 29 05:30:04 PM 2024 CET] (660 seconds ahead) > >internal_resolve_name: returning 1 addresses: 10.130.103.25 > >Connecting to 10.130.103.25 at port 445 > >socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, > >TCP_NODELAY=1, > TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, > IPTOS_THROUGHPUT=0, > SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=367360, SO_SNDLOWAT=1, > SO_RCVLOWAT=1, > SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, > TCP_USER_TIMEOUT=0 > > session request ok > > negotiated dialect[SMB3_11] against server[ums025.example.com] > >cli_session_setup_spnego_send: Connect to ums025.example.com as > >[email protected] > using SPNEGO > >GENSEC backend 'gssapi_spnego' registered > >GENSEC backend 'gssapi_krb5' registered > >GENSEC backend 'gssapi_krb5_sasl' registered > >GENSEC backend 'spnego' registered > >GENSEC backend 'schannel' registered > >GENSEC backend 'ncalrpc_as_system' registered > >GENSEC backend 'sasl-EXTERNAL' registered > >GENSEC backend 'ntlmssp' registered > >GENSEC backend 'ntlmssp_resume_ccache' registered > >GENSEC backend 'http_basic' registered > >GENSEC backend 'http_ntlm' registered > >GENSEC backend 'http_negotiate' registered > >Starting GENSEC mechanism spnego > >Starting GENSEC submechanism gse_krb5 > >smb_gss_krb5_import_cred ccache[KCM:1624200005] failed with [Unspecified GSS > > > failure. Minor code may provide more information: No credentials cache found] > -the > caller may retry after a kinit. > >Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR > >gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype > >in > NEG_TOKEN_INIT > >gensec_update_send: spnego[0x55f8e36a9910]: subreq: 0x55f8e36e5de0 > >gensec_update_done: spnego[0x55f8e36a9910]: NT_STATUS_INVALID_PARAMETER > >tevent_req[0x55f8e36e5de0/../../auth/gensec/spnego.c:1632]: > state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct > gensec_spnego_update_state > (0x55f8e36e5fa0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947] > >SPNEGO login failed: An invalid parameter was passed to a service or > >function. > >session setup failed: NT_STATUS_INVALID_PARAMETER > > > > > > > >-----Original Message----- > >From: Alexander Bokovoy > >Reply: Alexander Bokovoy > >Date: 29. February 2024 at 14:11:30 > >To: FreeIPA users list > >Cc: Thomas Handler > >Subject: Re: [Freeipa-users] problem allowing Windows Active Directory users > >to > access SMB shares on IPA client machine (IPA has trust with AD) > > > >> On Срд, 28 лют 2024, Thomas Handler via FreeIPA-users wrote: > >> > > >> >Hi all, > >> > > >> >I am facing a problem I got stuck upon. > >> > > >> > > >> >We have the following setup: > >> > > >> > +-----------+ > >> > | | > >> > | AD | > >> > | | > >> > +-----------+ > >> >+--------------+ ^ > >> >| +----------+ > >> >| ums012 | > >> >| | > >> >| IPA | > >> >+--------------+ > >> > ^ > >> > | +--------------+ > >> > | | | > >> > | | ums029 | > >> > | | | > >> > | | smbclient | > >> > | +---+----------+ > >> >+------+--------+ | > >> >| | | > >> >| ums025 | | > >> >| |<------------------+ > >> >| samba | > >> >+---------------+ > >> > > >> >IPA has a trust established with AD which is working fine. Active > >> >Directory users > can > >> logon on Linux machines which are connected to IPA, `id some-ad-user` > >> properly shows > >> the AD groups. > >> > > >> >ums012 and ums025 are running RHEL 9.3, ums029 is running RHEL 8.9. > >> > > >> >ums029 is used as a test client via smbclient. > >> > > >> > > >> >ums025 was setup following the instructions in > >> >https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm > >> > > >> > > >> >Setup worked fine, all steps went ok. > >> > > >> >But when i switch over to ums029 and try to verify with an ad user I get > >> > > >> > > >> >kinit > >> >smbclient -L ums025.idm.example.com -U --use-kerberos=required > >> >Password for [@EXAMPLE.COM]: > >> >gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT > >> > > >> for cifs/ums025.idm.example.com failed (next[(null)]): > >> NT_STATUS_INVALID_PARAMETER > >> >session setup failed: NT_STATUS_INVALID_PARAMETER > >> > >> Can you get more details? > >> > >> It would help to collect debug logs from the samba server as well as the > >> client at the same time, with 'log level = 10' in smb.conf. > >> > >> Use something like the following on the client: > >> > >> kinit -c ./file.ccache > >> KRB5_TRACE=/dev/stderr smbclient -d10 -L ... -U --use-kerberos=required > >> --use-krb5-ccache=./file.ccache > >> > >> This will collect information from the client side. > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > >> > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
