Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On Mon, 06 Jun 2016, lejeczek wrote: Users mapping concept (which I do not grasp completely yet) - when an AD client (win10) now gets to samba shares okey it is done with AD user credentials, win client sees share like: u...@my.dom which user is not IPA's user (there are no trusts no syncing). I don't know details of what you have configured. For IPA with trusts both Kerberos and passwords should work when Samba is running on IPA master. For IPA client, we have procedure defined for SSSD+Samba. For anything else only Kerberos would work. I emailed (this thread) most of the configs, if not all, ~two emails ago, last Friday. Configs were not really helpful without a bigger picture. Now, when you say mapping - this would be winbind/smb translating/mapping AD's SIDs to match IPA's UIDs - which is/would be different from syncying users from AD => IPA ,correct? SIDs to UID/GID on the system. You seem to confuse a lot in your emails -- you are claiming that there is no IPA trust or sync in place yet you expect somehow things to magically work, I simply don't understand your situation to comment on it. not magically, no, it's the same one box, IPA server and at the same time samba(non-IPA, might be why smbclient without kerberos does Not work) + sssd to an AD. And now after fixing keytabs all seems to work ok, and no winbind yet - thus my only question now is more about concepts, which - yes - I don't grasp fully. Ok. Yes I confuse, the way I understand is: my linux box now has two separate user db backends, two different users catalogs, first one is IPA's and the second is AD's via sssd(which samba being an AD's client also uses) with no winbind at this point. Yes, you have two different user db backends, and there is not enough interoperability between them yet. As you can guess, this is not really supported -- I would rather not spend time on that myself as there are more urgent issues to fix that scale better. Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need it? and if one then two: how to achieve it running setup like mine? It is not a question of whether you want something. It is required, as Windows world is different from POSIX and something needs to map between concepts in both worlds. That something is called Samba and it requires a proper configuration for SID/ID mapping -- which is done by winbindd. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On 06/06/16 12:42, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, lejeczek wrote: SMB services with Kerberos require use of cifs/ service principal. Your keytab only has host/ keys, and your AD machine account for the does not have 'cifs/' SPN defined. The latter is what causes smbclient -k to fail -- AD DC doesn't know about 'cifs/' and refuses to issue a service ticket even before smbclient contacts Samba server. Alexander, thanks! yes, cifs needs to be in keytab file, smbclient to itself(on smb server locally) works now with -k. I wonder - should it also work with only passwords? It does not, for me. Users mapping concept (which I do not grasp completely yet) - when an AD client (win10) now gets to samba shares okey it is done with AD user credentials, win client sees share like: u...@my.dom which user is not IPA's user (there are no trusts no syncing). I don't know details of what you have configured. For IPA with trusts both Kerberos and passwords should work when Samba is running on IPA master. For IPA client, we have procedure defined for SSSD+Samba. For anything else only Kerberos would work. I emailed (this thread) most of the configs, if not all, ~two emails ago, last Friday. Now, when you say mapping - this would be winbind/smb translating/mapping AD's SIDs to match IPA's UIDs - which is/would be different from syncying users from AD => IPA ,correct? SIDs to UID/GID on the system. You seem to confuse a lot in your emails -- you are claiming that there is no IPA trust or sync in place yet you expect somehow things to magically work, I simply don't understand your situation to comment on it. not magically, no, it's the same one box, IPA server and at the same time samba(non-IPA, might be why smbclient without kerberos does Not work) + sssd to an AD. And now after fixing keytabs all seems to work ok, and no winbind yet - thus my only question now is more about concepts, which - yes - I don't grasp fully. Yes I confuse, the way I understand is: my linux box now has two separate user db backends, two different users catalogs, first one is IPA's and the second is AD's via sssd(which samba being an AD's client also uses) with no winbind at this point. Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need it? and if one then two: how to achieve it running setup like mine? Another thing, not having winbind in nsswitch (or not having it at all), but still having sssd using AD - should I be able to access linux+sssd=>AD box with means like ssh? eg. ssh m...@my.dom@swir.private.my.dom (I think I had it worked with windbind in nsswitch) SSSD client as IPA client will work with passwords in AD but only if trust is established between IPA and AD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On Fri, 03 Jun 2016, lejeczek wrote: On 03/06/16 15:22, Alexander Bokovoy wrote: On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE Do you run winbindd? samba in RHEL 7.2 as of now has a regression that if you don't run winbindd, current code forbids establishing anonymous secure channel connections to AD DCs as part of Badlock fixes. The regression is fixed upstream and RHEL 7.2 packages are currently being tested by Red Hat QE team. If you start winbindd, this should not affect you -- if the machine is enrolled into Active Directory domain. However, the Kerberos error below makes me thinking you have some problems on AD side as well. no winbind, I hope to completely relay on sssd. You cannot -- at least for now. Samba needs translation between SIDs and POSIX IDs. This translation cannot be done by SSSD alone right now because there is no separate mechanism to supply that translation into Samba from the system level. SSSD can be used as to imitate SID translation interface of winbindd by providing a libwbclient replacement but this would mean a lot of other functionality winbindd provides will be missing as SSSD does not implement it. Finally, you can run winbindd in parallel to SSSD. You just need to ensure they both have the same understanding how to map usernames and group names to POSIX ID and back. And you don't need to add winbindd to /etc/nsswitch.conf or PAM configuration. I should mentioned that I'm fiddling with my sssd so it engages two providers, AD and IPA - and it seems to work, like a I tried to describe, only that samba smbclient to itself is not working. thanks! SMB services with Kerberos require use of cifs/ service principal. Your keytab only has host/ keys, and your AD machine account for the does not have 'cifs/' SPN defined. The latter is what causes smbclient -k to fail -- AD DC doesn't know about 'cifs/' and refuses to issue a service ticket even before smbclient contacts Samba server. and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] The statement above says your KDC for PRIVATE.DOM does not know anything about cifs/swir.private.dom principal. Fix that problem and Kerberos authentication will be working. SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On 03/06/16 15:22, Alexander Bokovoy wrote: On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE Do you run winbindd? samba in RHEL 7.2 as of now has a regression that if you don't run winbindd, current code forbids establishing anonymous secure channel connections to AD DCs as part of Badlock fixes. The regression is fixed upstream and RHEL 7.2 packages are currently being tested by Red Hat QE team. If you start winbindd, this should not affect you -- if the machine is enrolled into Active Directory domain. However, the Kerberos error below makes me thinking you have some problems on AD side as well. no winbind, I hope to completely relay on sssd. I should mentioned that I'm fiddling with my sssd so it engages two providers, AD and IPA - and it seems to work, like a I tried to describe, only that samba smbclient to itself is not working. thanks! and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] The statement above says your KDC for PRIVATE.DOM does not know anything about cifs/swir.private.dom principal. Fix that problem and Kerberos authentication will be working. SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On 03/06/16 15:11, Sumit Bose wrote: On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] Which realm is PRIVATE.DOM? What does $ klist -k -t /etc/krb5.swir.ccnr.keytab return? $ klist -k -t /etc/krb5.swir.ccnr.keytab Keytab name: FILE:/etc/krb5.swir.ccnr.keytab KVNO Timestamp Principal - 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom and swir runs samba, but I'm trying to sssd together AD & IPA, I should have mentioned. From DNS perspective it's AD = ccnr.dom and IPA = private.ccnr.dom, everything seems to resolve OK, both @AD and @IPA ends. And my sssd.conf: ipa_hostname = swir.private.ccnr.dom chpass_provider = ipa ipa_server = swir.private.ccnr.dom ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #krb5_keytab = /etc/krb5.private.ccnr.keytab [domain/ccnr.dom] ad_domain = ccnr.dom krb5_realm = CCNR.DOM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad auth_provider = ad krb5_keytab = /etc/krb5.swir.ccnr.keytab [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = private.ccnr.dom, ccnr.dom [nss] memcache_timeout = 600 homedir_substring = /home -- AD DC (to which shares smbclient @swir can get to) shows: C:\Users\Administrator.CCNR-WINSRV1>setspn -L swir Registered ServicePrincipalNames for CN=SWIR,OU=private,DC=ccnr,DC=dom: cifs/swir.private.ccnr@ccnr.dom host/swir.private.ccnr.dom host/swir.private.ccnr@ccnr.dom HOST/SWIR like I said, getnet and id see both domains If I $ kinit m...@ccnr.dom $ klist Ticket cache: KEYRING:persistent:0:krb_ccache_xoHU5iW Default principal: m...@ccnr.dom Valid starting ExpiresService principal 03/06/16 16:37:06 04/06/16 02:37:06 krbtgt/ccnr@ccnr.dom $ smbclient -L //$(hostname) -U m...@ccnr.dom -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.ccnr@private.ccnr.dom not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR what I see in last one above is - cifs/swir.private.ccnr@private.ccnr.dom I've just realized, for some reason, and maybe a valid one, smbclient don't do - cifs/swir.private.ccnr@ccnr.dom which is in the keytabs. but smbclient fails without -k which I understand should then use a password and should be sufficient to authenticate. many thanks Sumit, L. bye, Sumit SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE Do you run winbindd? samba in RHEL 7.2 as of now has a regression that if you don't run winbindd, current code forbids establishing anonymous secure channel connections to AD DCs as part of Badlock fixes. The regression is fixed upstream and RHEL 7.2 packages are currently being tested by Red Hat QE team. If you start winbindd, this should not affect you -- if the machine is enrolled into Active Directory domain. However, the Kerberos error below makes me thinking you have some problems on AD side as well. and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] The statement above says your KDC for PRIVATE.DOM does not know anything about cifs/swir.private.dom principal. Fix that problem and Kerberos authentication will be working. SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: > hi users, > > I have a samba and sssd trying AD, it's 7.2 Linux. > > That linux box is via sssd and samba talking to AD DC and win10 clients get > to samba shares, getent pass sees AD users, samba can get to DC's shares and > win10's clients shares, all good except... > > smbclient @samba, in other words - to itself - fails > > session setup failed: NT_STATUS_LOGON_FAILURE > > and with smbclient -k > > gss_init_sec_context failed with [Unspecified GSS failure. Minor code may > provide more information: Server cifs/swir.private@private.dom not found > in Kerberos database] Which realm is PRIVATE.DOM? What does $ klist -k -t /etc/krb5.swir.ccnr.keytab return? bye, Sumit > > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR > Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR > session setup failed: NT_STATUS_INTERNAL_ERROR > > here is a snippet from smb.conf which I thought has relevance, I set it up > following samba sssd wiki. > >security = ads > realm = CCNR.DOM > workgroup = CCNR > > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.swir.ccnr.keytab > client signing = auto > client use spnego = yes > encrypt passwords = yes > password server = ccnr-winsrv1.ccnr.dom > netbios name = SWIR > > template shell = /bin/bash > template homedir = /home/%D/%U > > preferred master = no > dns proxy = no > wins server = ccnr-winsrv1.ccnr.dom > wins proxy = no > > inherit acls = Yes > map acl inherit = Yes > acl group control = yes > > > and in samba log: > > domain_client_validate: Domain password server not available. > > I've tried samba user list, dead silence. > > many thanks, > > L. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] a bit off topic- samba + sssd => AD
hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project