Hi all,

I wanted to install a samba server (or more precisely a winbind server
for pptp authentication) in a IPA domain which trusts an AD domain.

I know that this configuration is not supported but since it works with
plain samba or samba+ldap I wanted to get it a shot to see how far one
could get.

First step, added a group for Domain Computers in ipa, with SID
S-1-XXXX-515:

dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: domaincomputers
description: domain computers
ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb
gidNumber: 1870500500

Second step, added posix attributes to the ipa host object where samba
would be installed, added SID information, and made it a member of the
domain computers group:

dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX
displayName: gcentralproxy
sn: proxy
givenName: gcentral
gecos: gcentralproxy
uidNumber: 1870400015
gidNumber: 1870500500
homeDirectory: /dev/null
loginShell: /sbin/nologin
uid: gcentralproxy$
ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301
cn: gcentralproxy.cosmeticosgenesis.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: ipantuserattrs
objectClass: posixAccount
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
fqdn: gcentralproxy.YYYYY
krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com@YYYY
serverHostName: gcentralproxy

Third step, I added a cifs service for the host in ipa, and exported the
keytab on the samba server.

Fourth step, added a simple samba configuration file on the future samba
server:

[global]
        workgroup = YYYY
        realm = XXXX
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        kerberos method = dedicated keytab
        log file = /var/log/samba/log.%m
        max log size = 100000
        security = domain

Trying to join the server to the domain (net rpc join -U domainadmin -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.

Seems to me that the samba ipasam backend on ipa doesn't like something
in the host or the "domain computers" group object in ldap, but I cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.

Best regards   

-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
[New LWP 2559]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Failed to read a valid object file image from memory.
Core was generated by `/usr/sbin/smbd'.
Program terminated with signal 6, Aborted.
#0  0x00007fe01c9f15c9 in __GI_raise (sig=6, sig@entry=<error reading variable: 
Cannot access memory at address 0x7fff3f7cf968>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
Core was generated by `pdbedit -L gcentralproxy$'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007faea177db5b in _IO_vfprintf_internal (s=s@entry=0x7ffff4db20d0, 
format=<optimized out>, 
    format@entry=0x7faea1d09718 "talloc: access after free error - first free 
may be at %s\n", ap=ap@entry=0x7ffff4db2260) at vfprintf.c:1635
1635              process_string_arg (((struct printf_spec *) NULL));
(gdb) bt
#0  0x00007faea177db5b in _IO_vfprintf_internal (s=s@entry=0x7ffff4db20d0, 
format=<optimized out>, 
    format@entry=0x7faea1d09718 "talloc: access after free error - first free 
may be at %s\n", ap=ap@entry=0x7ffff4db2260) at vfprintf.c:1635
#1  0x00007faea18401b5 in ___vsnprintf_chk (s=s@entry=0x7ffff4db225f "", 
maxlen=<optimized out>, maxlen@entry=1, flags=flags@entry=1, slen=slen@entry=1, 
    format=format@entry=0x7faea1d09718 "talloc: access after free error - first 
free may be at %s\n", args=args@entry=0x7ffff4db2260) at vsnprintf_chk.c:63
#2  0x00007faea1d055c5 in vsnprintf (__ap=0x7ffff4db2260, __fmt=<optimized 
out>, __n=1, __s=0x7ffff4db225f "") at /usr/include/bits/stdio2.h:77
#3  talloc_vasprintf (t=t@entry=0x0, fmt=fmt@entry=0x7faea1d09718 "talloc: 
access after free error - first free may be at %s\n", 
ap=ap@entry=0x7ffff4db22c0)
    at ../talloc.c:2223
#4  0x00007faea1d02c89 in talloc_log (fmt=fmt@entry=0x7faea1d09718 "talloc: 
access after free error - first free may be at %s\n") at ../talloc.c:309
#5  0x00007faea1d02413 in talloc_chunk_from_ptr (ptr=ptr@entry=0x7fae91416ace) 
at ../talloc.c:377
#6  0x00007faea1d047a6 in talloc_chunk_from_ptr (ptr=0x7fae91416ace) at 
../talloc.c:376
#7  __talloc (size=0, context=0x7fae91416ace) at ../talloc.c:578
#8  _talloc_named_const (name=0x7fae91416ab3 "talloc_new: ipa_sam.c:2950", 
size=0, context=0x7fae91416ace) at ../talloc.c:717
#9  talloc_named_const (context=context@entry=0x7fae91416ace, 
size=size@entry=0, name=name@entry=0x7fae91416ab3 "talloc_new: ipa_sam.c:2950") 
at ../talloc.c:1429
#10 0x00007fae91410a29 in ipasam_get_sid_by_gid (ldap_state=<optimized out>, 
ldap_state=<optimized out>, _sid=0x7faea5056b10, gid=1870500500) at 
ipa_sam.c:2950
#11 ipasam_get_primary_group_sid (_group_sid=<synthetic pointer>, 
entry=0x7faea503bde0, ldap_state=0x7faea5048360, mem_ctx=0x7faea5057120) at 
ipa_sam.c:3059
#12 init_sam_from_ldap (entry=0x7faea503bde0, sampass=0x7faea50565f0, 
ldap_state=0x7faea5048360) at ipa_sam.c:3145
#13 ldapsam_getsampwnam (methods=<optimized out>, user=0x7faea50565f0, 
sname=<optimized out>) at ipa_sam.c:3371
#14 0x00007faea2138bed in pdb_getsampwnam 
(sam_acct=sam_acct@entry=0x7faea50565f0, username=username@entry=0x7ffff4db36bb 
"gcentralproxy$")
    at ../source3/passdb/pdb_interface.c:333
#15 0x00007faea35081bd in print_user_info (username=0x7ffff4db36bb 
"gcentralproxy$", verbosity=<optimized out>, smbpwdstyle=<optimized out>)
    at ../source3/utils/pdbedit.c:361
#16 0x00007faea35060f1 in main (argc=<optimized out>, argv=<optimized out>) at 
../source3/utils/pdbedit.c:1257

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to