-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Alexander,
Thank you for the pointers, However it seems that I am still not getting the ipaNTSecurityIdentifier returned. Even after re-running the ipa-adtrust-install --add-sids (which I believe it gave me the option for on initial install, and i said yes). I followed the steps on this site (I believe you directed me there) http://firstyear.id.au/entry/22 and the output from the commands: [root@ipa-server-2 ~]# kinit admin Password for ad...@foo.bar: [root@ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)' SASL/GSSAPI authentication started SASL username: ad...@foo.bar SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=foo,dc=bar> (default) with scope subtree # filter: (cn=Default SMB Group) # requesting: ALL # # Default SMB Group, groups, compat, foo.bar dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar gidNumber: 3512 objectClass: posixGroup objectClass: top cn: Default SMB Group # Default SMB Group, groups, accounts, foo.bar dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04 gidNumber: 3512 # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 [root@ipa-server-2 ~]# kdestroy [root@ipa-server-2 ~]# kinit -kt /etc/samba/samba.keytab cifs/`hostname` [root@ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)' SASL/GSSAPI authentication started SASL username: cifs/ipa-server-2.foo....@foo.bar SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=foo,dc=bar> (default) with scope subtree # filter: (cn=Default SMB Group) # requesting: ALL # # Default SMB Group, groups, compat, foo.bar dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar gidNumber: 3512 objectClass: posixGroup objectClass: top cn: Default SMB Group # Default SMB Group, groups, accounts, foo.bar dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04 gidNumber: 3512 # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Thanks, Bill Graboyes On 7/22/15 12:53 PM, Alexander Bokovoy wrote: > On Wed, 22 Jul 2015, William Graboyes wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> >> Hi All, >> >> I have been messing around with AD trust installs mainly around >> doing ntlm_auth for a radius server. >> >> However, as I was unable to see some of the needed resources, I >> thought maybe IPA may need a kick. >> > This is your problem: >> Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 >> 11:03:19.824614, 0] ipa_sam.c:3574(get_fallback_group_sid) Jul >> 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory >> attribute ipaNTSecurityIdentifier. > What did you do? > > Try to search as admin and as cifs/`hostname`: # kinit admin # > ldapsearch -Y GSSAPI '(cn=Default SMB Group)' # kdestroy # kinit > -kt /etc/samba/samba.keytab cifs/`hostname` # ldapsearch -Y GSSAPI > '(cn=Default SMB Group)' > > If the first one gives you a proper entry with > ipaNTSecurityIdentifier and the second one does not return the same > entry, you've broke ACIs. > > If both of them are failing, you need to re-run > ipa-adtrust-install --add-sids to fix that. > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVr/+oAAoJEJFMz73A1+zr+BIP/2+77QZnSWSI38Wz47kUr6Uh kOhv3gIAPlIq1ClJClbISOjwdpGBP0AUETsrbBixW7mMFswywDrLij7axbDh8MkO 8PLTH3Sv75foAUmAMH4ZIpB5NA8WNre5+gWuHAhLQnZBbedx0fm6ieuZvZBDHaFw 2rj+w8zkw0TWaf7ZmwTvawZwoy/OTfhkKLqfRvUfSxvpOeRl4AE/yUjje5rvacCK tuYwCM8Y4B0aDqRbOjbL4hyWiIVAmV5PhaVa8Qu5AwbOXV2+G5Mt6MxxMRmWBrE2 +ZwATAlqqomsZ1FYOVKgMn1ylO/SzaNde3u5rvE4vdWzP8mr/+APNIcxmp27GnWr cMGEOapdzehMVvVyW0FJ4gA+BxwhNzpGc+vo+98WeDq49yW/g3vwO/BQKqFkMaZW HZM784EAxRAEXEiAJ9bB2bOGfY/EVrvWZVjDO10Hu99kIFqN8hbjfSKlqEH00fV7 ihqHJf0lcOU4lIBH5vUxRZSHfUjMCv6TySdWZSlblO5dtTGRjgpe7Kwj2pRgCo3P PUagvJY4gkZ4ZbxIq+qkPHCNY90B+pGheVuJRfDA+Pl7bFY24/tbhnJ0kzuNQtYu K8UlD4o34AlDQr60I0bxYkwprtJneVPfVkW1+6LUDWw4eNGf1zjXQH9Jl8uQcir4 Eq5AtMD/ef8TjxQwWaHr =HkdM -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project