On 9/16/16, 12:04 AM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:

    On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
    >On 9/15/16, 1:06 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
    >    On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
    >    >All,
    >    >  I’m working on setting up Samba to serve files from a server 
    >    >  to our IPA domain. I followed the directions in
    >    >  
    >    >  Everything seems to work and I can access the files from another 
    >    >  server attached to the same domain using a Kerberos ticket from a
    >    >  user from the trusted AD domain. However, I can’t access this share
    >    >  from a windows client that is also attached to the trusted AD 
    >    >
    >    >My smb.conf is as follows:
    >    >[global]
    >    >        workgroup = IPA
    >    >        realm = IPA.DOMAIN
    >    >        kerberos method = dedicated keytab
    >    >        dedicated keytab file = FILE:/etc/samba/samba.keytab
    >    >        log file = /var/log/samba/log.%m
    >    >        log level = 3
    >    >        security = ads
    >    >        load printers = no
    >    >        disable spoolss = yes
    >    >        map to guest = Never
    >    >        restrict anonymous = 2
    >    >
    >    >[spacetest]
    >    >        path = /var/www
    >    >        writable = yes
    >    >        browsable = yes
    >    >
    >    >I put the keytab in place from the cifs service from the IPA server.
    >    >
    >    >I feel like I’m missing something small, but I can’t seem to find it.
    >    >Logs from samba are here: http://pastebin.com/aMDXfR78
    >    These logs show that your Windows client did not use Kerberos but tried
    >    to authenticate with password using NTLMSSP. This is not supported yet,
    >    as written on the page you used for the setup guidance.
    >    You need to find out why Windows client didn't use Kerberos.
    >    Is your trust to AD really working?
    >We’re authenticating AD users on the hosts that are connected to IPA.
    >We’re able to create external groups and associate them with internal
    >groups for HBAC and sudoers rules. Is there something else I should
    >check to see if the trust is working? It’s entirely possible I missed
    >something somewhere in the setup, but I don’t think I did.
    Start by listing your configuration. Show:
     - ipa service-show cifs/samba.server.host (using FQDN hostname)
     - ipa trust-show ad.domain
     - kinit user@AD.DOMAIN ;  KRB5_TRACE=/dev/stderr smbclient -k 
     - Try to access \\samba.server.host\share from Windows host and then
       show 'klist' in the Windows shell, or alternatively,
     - if you are using Windows Server 2012 or later, show output of
       'klist get cifs/samba.server.host@IPA.DOMAIN'
     - show any lines related to use user@AD.DOMAIN and
       cifs/samba.server.host from /var/log/krb5kdc.log on IPA master
    You can replace actual hostnames/realm names/IP addresses by something more 
    in the output when sending to the list, but please do it consistently.

I’m sorry. I thought I had been consistent when making changes, but from your 
response, it looks like I wasn’t. I’m sorry about that. I got yelled at by our 
security team last time we sent logs to a public list that had any type of 
identifiable information in them, so it’s sort of a new process for me. I think 
I have it down now. 

The results of the commands are here: http://pastebin.com/PRwr7wv6

Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of 
T: 773-834-0458 | http://cri.uchicago.edu

This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to