On 03/06/16 15:11, Sumit Bose wrote:
On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:
hi users,

I have a samba and sssd trying AD, it's 7.2 Linux.

That linux box is via sssd and samba talking to AD DC and win10 clients get
to samba shares, getent pass sees AD users, samba can get to DC's shares and
win10's clients shares, all good except...

smbclient @samba, in other words - to itself - fails

session setup failed: NT_STATUS_LOGON_FAILURE

and with smbclient -k

gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may
provide more information: Server cifs/swir.private....@private.dom not found
in Kerberos database]
Which realm is PRIVATE.DOM? What does

     $ klist -k -t /etc/krb5.swir.ccnr.keytab

return?
$ klist -k -t /etc/krb5.swir.ccnr.keytab
Keytab name: FILE:/etc/krb5.swir.ccnr.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   4 01/01/70 01:00:00 host/swir.private.ccnr....@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr....@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr....@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr....@ccnr.dom
   4 01/01/70 01:00:00 host/swir.private.ccnr....@ccnr.dom

and swir runs samba, but I'm trying to sssd together AD & IPA, I should have mentioned. From DNS perspective it's AD = ccnr.dom and IPA = private.ccnr.dom, everything seems to resolve OK, both @AD and @IPA ends.
And my sssd.conf:
------------
ipa_hostname = swir.private.ccnr.dom
chpass_provider = ipa
ipa_server = swir.private.ccnr.dom
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#krb5_keytab = /etc/krb5.private.ccnr.keytab

[domain/ccnr.dom]
ad_domain = ccnr.dom
krb5_realm = CCNR.DOM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
auth_provider = ad
krb5_keytab = /etc/krb5.swir.ccnr.keytab

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = private.ccnr.dom, ccnr.dom

[nss]
memcache_timeout = 600
homedir_substring = /home
--------------

AD DC (to which shares smbclient @swir can get to) shows:

C:\Users\Administrator.CCNR-WINSRV1>setspn -L swir
Registered ServicePrincipalNames for CN=SWIR,OU=private,DC=ccnr,DC=dom:
        cifs/swir.private.ccnr....@ccnr.dom
        host/swir.private.ccnr.dom
        host/swir.private.ccnr....@ccnr.dom
        HOST/SWIR

like I said, getnet and id see both domains
If I
$ kinit m...@ccnr.dom
$ klist
Ticket cache: KEYRING:persistent:0:krb_ccache_xoHU5iW
Default principal: m...@ccnr.dom

Valid starting     Expires            Service principal
03/06/16 16:37:06  04/06/16 02:37:06  krbtgt/ccnr....@ccnr.dom


$ smbclient -L //$(hostname) -U m...@ccnr.dom -k
gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.ccnr....@private.ccnr.dom not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

what I see in last one above is - cifs/swir.private.ccnr....@private.ccnr.dom I've just realized, for some reason, and maybe a valid one, smbclient don't do - cifs/swir.private.ccnr....@ccnr.dom which is in the keytabs.

but smbclient fails without -k which I understand should then use a password and should be sufficient to authenticate.

many thanks Sumit,
L.

bye,
Sumit

SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR

here is a snippet from smb.conf which I thought has relevance, I set it up
following samba sssd wiki.

    security = ads
   realm = CCNR.DOM
   workgroup = CCNR

   kerberos method = secrets and keytab
   dedicated keytab file = /etc/krb5.swir.ccnr.keytab
   client signing = auto
   client use spnego = yes
   encrypt passwords = yes
   password server = ccnr-winsrv1.ccnr.dom
   netbios name = SWIR

   template shell = /bin/bash
   template homedir = /home/%D/%U

   preferred master = no
   dns proxy = no
   wins server = ccnr-winsrv1.ccnr.dom
   wins proxy = no

   inherit acls = Yes
   map acl inherit = Yes
   acl group control = yes


and in samba log:

   domain_client_validate: Domain password server not available.

I've tried samba user list, dead silence.

many thanks,

L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to