On Wed, 22 Jul 2015, William Graboyes wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi All,

I have been messing around with AD trust installs mainly around doing
ntlm_auth for a radius server.

However, as I was unable to see some of the needed resources, I
thought maybe IPA may need a kick.

This is your problem:
Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
11:03:19.824614,  0] ipa_sam.c:3574(get_fallback_group_sid)
Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory
attribute ipaNTSecurityIdentifier.
What did you do?

Try to search as admin and as cifs/`hostname`:
# kinit admin
# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'
# kdestroy
# kinit -kt /etc/samba/samba.keytab cifs/`hostname`
# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'

If the first one gives you a proper entry with ipaNTSecurityIdentifier
and the second one does not return the same entry, you've broke ACIs.

If both of them are failing, you need to re-run ipa-adtrust-install --add-sids
to fix that.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to