Hi all,
I am quite aware that installing ipa-server-trust-ad and using the samba as a
file server is as unsupported as one can get... but I really needed a Samba
server integrated with IPA (damn Mac OS and Windows). I don't actually have a
Windows environment but this seemed to bootstrap enough of the requirements to
get it working
Bit of a story for those who have time to read and maybe battling similiar, or
just skip to after the log for the fix+patch :)
* ipaNTSecurityIdentifier ended up missing because I didn't use --setsid and NT
hash missing because I did not do a ipa passwd reset
* As a result, experienced user not found or invalid password, and after debug
level 5 I had about 500M of core dumps (sorry don't have them anymore)
* Ran ipa-adtrust-install again with --setsid and reset some passwords and
things started looking better, could connect, all good, NT hash was there and
ipaNTSecurityIdentifier there (ldapsearch <3)
* Then next problem was when I added "valid users = @groupname" to share
config. No longer could connect even if member of the group!
* Turned out ipNTGroupAttr was missing from some groups - thus had to register
the ldif for the ipa-setsid task
Still had problems even after ipa-setsid, and ldapsearch showed all correct.
Here is a snippet from the logs at debug level 10.
> [2014/03/06 15:32:55.658567, 4, pid=28139, effective(0, 0), real(0, 0)]
> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2014/03/06 15:32:55.658601, 5, pid=28139, effective(0, 0), real(0, 0)]
> ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2014/03/06 15:32:55.658634, 5, pid=28139, effective(0, 0), real(0, 0)]
> ../source3/auth/token_util.c:528(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2014/03/06 15:32:55.658691, 5, pid=28139, effective(0, 0), real(0, 0)]
> ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [dc=local,dc=othermedia,dc=com], filter =>
> [(&(ipaNTSecurityIdentifier=S-1-5-21-2563482189-1697247676-1628377611-1005)(|(objectClass=ipaNTGroupAttrs)(objectClass=ipaNTUserAttrs)))],
> scope => [2]
> [2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)]
> ipa_sam.c:309(get_single_attribute)
> Attribute [uidNumber] not found.
> [2014/03/06 15:32:55.659667, 1, pid=28139, effective(0, 0), real(0, 0)]
> ipa_sam.c:717(ldapsam_sid_to_id)
> Could not find uidNumber in
> cn=filestore_archive,cn=groups,cn=accounts,dc=local,dc=othermedia,dc=com
> [2014/03/06 15:32:55.659716, 4, pid=28139, effective(0, 0), real(0, 0)]
> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/03/06 15:32:55.659758, 10, pid=28139, effective(0, 0), real(0, 0)]
> ../source3/passdb/lookup_sid.c:1121(legacy_sid_to_unixid)
> LEGACY: mapping failed for sid
> S-1-5-21-2563482189-1697247676-1628377611-1005
> [2014/03/06 15:32:55.659796, 4, pid=28139, effective(0, 0), real(0, 0)]
> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
I noticed the "Could not find uidNumber" - turns out ipa-sam was being asked to
turn SID into ID and was successfully finding it but needed to work out whether
it was a group or a user. To do this, it searches the objectClass for
"ipNTGroupAttr" - if it finds it, it looks for gidNumber, otherwise it looks
for uidNumber. However, the objectClass added by ipa-setsid is "ipntgroupattr"
and ipa-sam was using "strncmp".
I've fixed this with a patch to use strncasecmp. Might not be the best fix...
maybe ipa-sam should be modified to have the attributes lower case for
comparison? But this was simplest patch. Comments/feedback welcome and maybe
I'll have time to do alternative fix if felt better?
Versions:
RHEL 6.4 3.0.0-37
Code in master branch appears to show the same issue
References:
freeipa/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
around line 54-55: lowercase objectClass addition
freeipa/daemons/ipa-sam/ipa_sam.c
around line 688: case sensitive comparison to ipaNTGroupAttrs
Patch for master branch:
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 1ca504d..c5e8b39 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -750,7 +750,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
}
for (c = 0; values[c] != NULL; c++) {
- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
+ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
values[c]->bv_len) == 0) {
break;
}
Patch for RHEL 6.5 3.0.0-37:
--- a/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:30:15.994792879 +0000
+++ b/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:35:34.966791637 +0000
@@ -685,7 +685,7 @@
}
for (c = 0; values[c] != NULL; c++) {
- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
+ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
values[c]->bv_len) == 0) {
break;
}
Regards,
Jason_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
