I have a problem with Samba setup that I haven't been able to overcome for
months.  I am trying to setup samba on RHEL 7 using SSSD instead of winbind

Currently, I have a one way trust between the production Active directory
and productin IPA.  I have users on IPA and Active directory. For example,
I have an account called will...@activedirectory.example.com and
will...@ipa.example.com.  To get sharing working, I have created a posix
group that now have of the above users.  The intent is, I should be able to
write to my Linux home user irrespective of what account I log in with.

        comment = Home Directories
        path = /home/william
        browseable = yes
        writeable = yes
        valid users = @william_posix_group

 From any of the IPA clients, samba seem to work fine.  I can login with
samba client, delete, list and do anything.  With klist, I do see both the
CIFS and Linux host ticket.

>From Windows though, it don't work.  I see that the Windows system did
actually get the host ticket for the server running samba,  the Windows
hots ticket  but the CIFS ticket is missing.

With that background, I have setup a dummy active directory called
test.local.  Essentially, I intend to destroy it once I verify that the
behaviour is consistent with the production active directory.  I am however
stuck with DNS setup, and can't therefore establish trust between
production IPA and dummy active directory.

Would you know what I could be doing wrong with from the logs below?

[root@lithium ~]# ipa dnsforwardzone-add test.local.
--forwarder= --forward-policy=first
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'test.local. SOA' failed
DNSSEC validation on server
Please verify your DNSSEC configuration or disable DNSSEC validation on all
IPA servers.
  Zone name: test.local.
  Active zone: TRUE
  Zone forwarders:
  Forward policy: first
[root@lithium ~]# dig  +short -t SRV _kerberos._udp.dc._msdcs.test.local
[root@lithium ~]# dig @  +short -t SRV
0 100 88 server.test.local.
[root@lithium ~]#

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to