I have a problem with Samba setup that I haven't been able to overcome for
months. I am trying to setup samba on RHEL 7 using SSSD instead of winbind
Currently, I have a one way trust between the production Active directory
and productin IPA. I have users on IPA and Active directory. For example,
I have an account called will...@activedirectory.example.com and
will...@ipa.example.com. To get sharing working, I have created a posix
group that now have of the above users. The intent is, I should be able to
write to my Linux home user irrespective of what account I log in with.
comment = Home Directories
path = /home/william
browseable = yes
writeable = yes
valid users = @william_posix_group
From any of the IPA clients, samba seem to work fine. I can login with
samba client, delete, list and do anything. With klist, I do see both the
CIFS and Linux host ticket.
>From Windows though, it don't work. I see that the Windows system did
actually get the host ticket for the server running samba, the Windows
hots ticket but the CIFS ticket is missing.
With that background, I have setup a dummy active directory called
test.local. Essentially, I intend to destroy it once I verify that the
behaviour is consistent with the production active directory. I am however
stuck with DNS setup, and can't therefore establish trust between
production IPA and dummy active directory.
Would you know what I could be doing wrong with from the logs below?
[root@lithium ~]# ipa dnsforwardzone-add test.local.
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: WARNING: DNSSEC validation failed: record 'test.local. SOA' failed
DNSSEC validation on server 192.168.20.1.
Please verify your DNSSEC configuration or disable DNSSEC validation on all
Zone name: test.local.
Active zone: TRUE
Zone forwarders: 192.168.11.56
Forward policy: first
[root@lithium ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.test.local
[root@lithium ~]# dig @192.168.11.56 +short -t SRV
0 100 88 server.test.local.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project