Hi Alexander

Thanks for your reply...

The problem here was apparently SELinux, after setting:

setsebool -P samba_load_libgfapi 1
setsebool -P samba_portmapper 1

The lsasd deamon was able to startup correctly...

Now I'm faced with another issue:

ACCESS DENIED (granted: 0x00000201; required: 0x00000010)

i'm trying to use the user "mj" to do the join:

[root@bart ~]# id mj
uid=1935800001(mj) gid=1935800001(mj) 
[root@bart ~]# net groupmap list
Domain Users (S-1-5-21-3189138339-1730592290-4215248117-513) -> ntusers
Domain Admins (S-1-5-21-3189138339-1730592290-4215248117-512) -> ntadmins
Domain Guests (S-1-5-21-3189138339-1730592290-4215248117-514) -> nobody

Any thoughts???

You say that freeipa with ipasam is not supported with NT4 domain... Is there a 
supported way to do this?? (Sambav4 AD??? Couldn't get it to work)...

My configuration is below...



        workgroup = BOLLS
        netbios name = BART
        realm = BOLLS.LAN
        kerberos method = dedicated keytab
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        create krb5 conf = no
        security = user
        domain master = yes
        domain logons = yes
        log level = 3
        max log size = 100000
        log file = /var/log/samba/log.%m
        passdb backend = ipasam:ldaps://lisa.bolls.lan
        disable spoolss = yes
        ldapsam:trusted = yes
        ldap ssl = off
        ldap suffix = dc=bolls,dc=lan
        ldap user suffix = cn=users,cn=accounts
        ldap group suffix = cn=groups,cn=accounts
        ldap machine suffix = cn=computers,cn=accounts
        rpc_server:epmapper = external
        rpc_server:lsarpc = external
        rpc_server:lsass = external
        rpc_server:lsasd = external
        rpc_server:samr = external
        rpc_server:netlogon = external
        rpc_server:tcpip = yes
        rpc_daemon:epmd = fork
        rpc_daemon:lsasd = fork
        logon path = \\%L\Profiles\%U
        logon drive = H:
        logon home = \\%L\%U

        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
        comment = All Printers
        path = /var/spool/samba
        printer admin = root, mj
        create mask = 0600
        guest ok = Yes
        printable = Yes
        browseable = No
        comment = Printer Drivers Share
        path = /var/lib/samba/drivers
        write list = mj, root
        printer admin = mj, root
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        admin users = root, mj
        guest ok = Yes
        browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/mj
        comment = Roaming Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes

----- Original meddelelse -----
Fra: "Alexander Bokovoy" <aboko...@redhat.com>
Til: "mj" <m...@casalogic.dk>
Cc: "freeipa-users" <freeipa-users@redhat.com>
Sendt: lørdag, 27. februar 2016 15:17:14
Emne: Re: [Freeipa-users] Error joining domain: tstream_npa_connect_recv to 
/run/samba/ncalrpc/np for pipe lsarpc

On Sat, 27 Feb 2016, Martin Juhl wrote: 
>Hi guys 
>I have setup a NT4 Domain, using Freeipa as a ipasam backend... 
>Normal user authentication and shares seems to work, but i'm getting an 
>error when trying to join a Windows 7 machine to the domain (see 
>To me it seems to be the same error as here: 
>Does anyone know if this patch have been implemented in the freeipa in 
This should be fixed in RHEL 7 after rebase to 4.2.3, according to 
upstream git: 

$ git tag --contains 9a86ca9779c7be9cd6e2f6f7c18233d1c9883bef | head -1 

RHEL 7 had 4.2.3 coming as 
* Tue Jul 14 2015 Andreas Schneider <a...@redhat.com> - 4.2.3-1 
- related: #1196140 - Rebase to version 4.2.3 
- resolves: #1237036 - Fix DCERPC PDU calculation 
- resolves: #1237039 - Fix winbind request cancellation 
- resolves: #1223981 - Fix possible segfault with smbX protocol setting 

>Or is this another issue???? 
Most likely it is. We do not support using FreeIPA via ipasam as NT4 
domain controller and this mode was never tested. I don't know how 
exactly you run ipasam configuration. 

/ Alexander Bokovoy 

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to