Re: [Freeipa-users] Mapping users from AD to IPA KDC

2016-12-02 Thread TomK 

On 12/2/2016 8:43 AM, Sumit Bose wrote:

On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:

Hey All,

I've successfully mapped the nixadmins to the external group
nixadmins_external.  However no users in that group make it over to Free IPA
that I can see.

ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins. However
I can't port them over.

These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users in the
mapped groups above?  ( ie within the GUI should I see any users listed from
AD DC in nixadmins or nixadmins_external? )


no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.

HTH

bye,
Sumit



If there is an issue and I'm just not picking it out from the debug logs,
what to look for?  Is there anything more I need to do on the Windows side
that I haven't found on the existing pages?


# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
  Group name: nixadmins_external
  Description: NIX Admins External map
  External member: S-1-5-21-3418825849-1633701630-2291579631-1006
  Member groups: nixadmins
  Member of groups: nixadmins
  Indirect Member groups: nixadmins_external
-
Number of members added 1
-
#


# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1

#


[realms]
 DOM.ABC.XYZ = {
.
.
.
  auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
  auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find command
to list them.


Number of entries returned 0

[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1



# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find command
to list them.


Number of entries returned 0

#


The following command successfully returns all AD objects under the Users
cn.

# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn


--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




Nothing:

# id t...@abc.xyz
id: t...@abc.xyz: no such user
# getent group nixadmins_external
# getent group nixadmins
nixadmins:*:1746600012:
#

I'll enable debug logging to determine further.

--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ACIerrors is httpd log

2016-12-02 Thread Rob Crittenden 
Jim Richard wrote:
> Hmm ya. So before I rebuilt anything I thought maybe it was my DNS
> records but it looks like that’s not it.
> 
> More background, I used to have sso-109 and sso-110, both CA’s. I
> rebuilt sso-110 without CA.
> 
> My DNS is external, BIND on another host.
> 
> Using the following (at the end of the message) host/key issue as an
> example. On this host, in sssd.conf, ipa_server and krb5_server values
> are both _srv_ so that means they’ll discover from DNS right?
> 
> But in my krb5.conf I have:
> 
> [realms]
>   PLACEIQ.NET  = {
> kdc = sso-110.nym1.placeiq.net :88
> master_kdc = sso-110.nym1.placeiq.net
> :88
> admin_server = sso-110.nym1.placeiq.net
> :749
> default_domain = placeiq.net 
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
> 
> 
> Is there any other IPA related config file that might reference a host name?
> 
> I’ll include my DNS records at the end here, do they look correct for a
> two server setup, one with a CA (sso-109) and the other no CA (sso-110)?
> 
> I never have been sure about the “kerberos-master” entries, what makes
> an IPA host a “kerberos master” and is this related to the CA in any way?
> 
> ; ldap servers
> _ldap._tcp  IN SRV 0 100 389sso-109.nym1.placeiq.net
> .
> _ldap._tcp  IN SRV 0 100 389sso-110.nym1.placeiq.net
> .
> 
> ;kerberos realm
> _kerberos   IN TXT PLACEIQ.NET 
> 
> ; kerberos servers
> _kerberos._tcp  IN SRV 0 100 88 sso-109.nym1.placeiq.net
> .
> _kerberos._tcp  IN SRV 0 100 88 sso-110.nym1.placeiq.net
> .
> 
> _kerberos._udp  IN SRV 0 100 88 sso-109.nym1.placeiq.net
> .
> _kerberos._udp  IN SRV 0 100 88 sso-110.nym1.placeiq.net
> .
> 
> _kerberos-master._tcp   IN SRV 0 100 88 sso-109.nym1.placeiq.net
> .
> _kerberos-master._udp   IN SRV 0 100 88 sso-109.nym1.placeiq.net
> .
> _kerberos-adm._tcp  IN SRV 0 100 749sso-109.nym1.placeiq.net
> .
> _kerberos-adm._udp  IN SRV 0 100 749sso-109.nym1.placeiq.net
> .
> 
> _kpasswd._tcp   IN SRV 0 100 464sso-109.nym1.placeiq.net
> .
> _kpasswd._tcp   IN SRV 0 100 464sso-110.nym1.placeiq.net
> .
> 
> _kpasswd._udp   IN SRV 0 100 464sso-109.nym1.placeiq.net
> .
> _kpasswd._udp   IN SRV 0 100 464sso-110.nym1.placeiq.net
> .
> 
> ; CNAME for IPA CA replicas (used for CRL, OCSP)
> ipa-ca  IN A10.1.41.109
> 
> 
> 
> Number of certificates and requests being tracked: 1.
> Request ID '20141110221330':
> status: MONITORING
> ca-error: Server at https://sso-110.nym1.placeiq.net/ipa/xml
> denied our request, giving up: 2100 (RPC failed at server.  Insufficient
> access: not allowed to perform this command).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
> phoenix-142.nym1.placeiq.net
> ',token='NSS Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - phoenix-142.nym1.placeiq.net
> ',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=PLACEIQ.NET 
> subject: CN=phoenix-142.nym1.placeiq.net
> ,O=PLACEIQ.NET 
> expires: 2016-11-10 22:13:31 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> 
> 
> 
> We are moving to latest version on RHEL so we’ll have paid support but
> before than, gaining this understanding is massively valuable :)

I'm pretty certain this has nothing to do with servers being removed.
IPA isn't saying it can't find something, it's saying you aren't allowed
to do something.

Why that is the case I don't know. A way to maybe find out would involve
enabling debugging on the server. You can do this by creating
/etc/ipa/server.conf with these contents:

[global]
debug=True

Restart httpd and watch. I'd leave it on just long enough to see the
problem, then turn it off again given you are already

[Freeipa-users] New IPA Servers

2016-12-02 Thread Outback Dingo 
Ok so trying to setup a replca to deploy 2 new freeipa servers on
AWS... migrating from old servers going away, It was suggested to
create a replica then promote it.

this issue is the public ip for the new server is not the same as
the servers IP on AWS...
so which one do i use ???

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ACIerrors is httpd log

2016-12-02 Thread Jim Richard 
Hmm ya. So before I rebuilt anything I thought maybe it was my DNS records but 
it looks like that’s not it.

More background, I used to have sso-109 and sso-110, both CA’s. I rebuilt 
sso-110 without CA.

My DNS is external, BIND on another host.

Using the following (at the end of the message) host/key issue as an example. 
On this host, in sssd.conf, ipa_server and krb5_server values are both _srv_ so 
that means they’ll discover from DNS right?

But in my krb5.conf I have:

[realms]
  PLACEIQ.NET = {
kdc = sso-110.nym1.placeiq.net:88
master_kdc = sso-110.nym1.placeiq.net:88
admin_server = sso-110.nym1.placeiq.net:749
default_domain = placeiq.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }


Is there any other IPA related config file that might reference a host name?

I’ll include my DNS records at the end here, do they look correct for a two 
server setup, one with a CA (sso-109) and the other no CA (sso-110)?

I never have been sure about the “kerberos-master” entries, what makes an IPA 
host a “kerberos master” and is this related to the CA in any way?

; ldap servers
_ldap._tcp  IN SRV 0 100 389sso-109.nym1.placeiq.net.
_ldap._tcp  IN SRV 0 100 389sso-110.nym1.placeiq.net.

;kerberos realm
_kerberos   IN TXT PLACEIQ.NET

; kerberos servers
_kerberos._tcp  IN SRV 0 100 88 sso-109.nym1.placeiq.net.
_kerberos._tcp  IN SRV 0 100 88 sso-110.nym1.placeiq.net.

_kerberos._udp  IN SRV 0 100 88 sso-109.nym1.placeiq.net.
_kerberos._udp  IN SRV 0 100 88 sso-110.nym1.placeiq.net.

_kerberos-master._tcp   IN SRV 0 100 88 sso-109.nym1.placeiq.net.
_kerberos-master._udp   IN SRV 0 100 88 sso-109.nym1.placeiq.net.
_kerberos-adm._tcp  IN SRV 0 100 749sso-109.nym1.placeiq.net.
_kerberos-adm._udp  IN SRV 0 100 749sso-109.nym1.placeiq.net.

_kpasswd._tcp   IN SRV 0 100 464sso-109.nym1.placeiq.net.
_kpasswd._tcp   IN SRV 0 100 464sso-110.nym1.placeiq.net.

_kpasswd._udp   IN SRV 0 100 464sso-109.nym1.placeiq.net.
_kpasswd._udp   IN SRV 0 100 464sso-110.nym1.placeiq.net.

; CNAME for IPA CA replicas (used for CRL, OCSP)
ipa-ca  IN A10.1.41.109



Number of certificates and requests being tracked: 1.
Request ID '20141110221330':
status: MONITORING
ca-error: Server at https://sso-110.nym1.placeiq.net/ipa/xml denied our 
request, giving up: 2100 (RPC failed at server.  Insufficient access: not 
allowed to perform this command).
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA 
Machine Certificate - phoenix-142.nym1.placeiq.net',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine 
Certificate - phoenix-142.nym1.placeiq.net',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=PLACEIQ.NET
subject: CN=phoenix-142.nym1.placeiq.net,O=PLACEIQ.NET
expires: 2016-11-10 22:13:31 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes



We are moving to latest version on RHEL so we’ll have paid support but before 
than, gaining this understanding is massively valuable :)


     
Jim Richard    
    
    

SYSTEM ADMINISTRATOR III
(646) 338-8905  

 




> On Dec 1, 2016, at 10:56 PM, Rob Crittenden  wrote:
> 
> Jim Richard wrote:
>> I think I know what the issue is.
>> 
>> I had 2 IPA servers, both with CA’s
>> 
>> I dropped one and rebuilt without the CA but a bunch of clients are
>> still pointing at this one server that now is without a CA.
>> 
>> Will rebuild that one with a CA and almost sure that will fix.
> 
> I'm rather skeptical of that. Not having a CA should not result in an
> ACI error. It should internally forward any cert requests to an IPA
> server that does have a CA and relay the result back to the requester.
> 
> rob
> 
>> 
>> 
>> Jim Richard
>> 
>> 
>> 
>> SYSTEM ADMINISTRATOR III
>> /(646) 338-8905 / 
>> 
>>

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-02 Thread Rob Verduijn 
2016-12-01 19:44 GMT+01:00 Rob Verduijn :

>
>
> 2016-12-01 17:20 GMT+01:00 Rob Crittenden :
>
>> Rob Verduijn wrote:
>> >
>> >
>> > 2016-12-01 15:41 GMT+01:00 Rob Crittenden > > >:
>> >
>> > Rob Verduijn wrote:
>> > > Hello,
>> > >
>> > > For some reason my ipa server no longer boots.
>> > > It keeps trying to start pki-tomcat service.
>> > >
>> > > Does anybody know where I should start looking to get this fixed ?
>> > >
>> > > Rob Verduijn
>> > >
>> > > ipactl -d start gives this output:
>> > > ipa: DEBUG: The CA status is: check interrupted due to error:
>> Command
>> > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> '--no-check-certificate'
>> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
>> > ''
>> returned
>> > > non-zero exit status 8
>> > > ipa: DEBUG: Waiting for CA to start...
>> > > ipa: DEBUG: Starting external process
>> > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> > > '--no-check-certificate'
>> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
>> > '
>> > > ipa: DEBUG: Process finished, return code=8
>> > > ipa: DEBUG: stdout=
>> > > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
>> > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
>> > 
>> > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)...
>> 172.16.1.13
>> > > Connecting to freeipa02.tjako.thuis
>> > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
>> > > HTTP request sent, awaiting response...
>> > >   HTTP/1.1 500 Internal Server Error
>> > >   Server: Apache-Coyote/1.1
>> > >   Content-Type: text/html;charset=utf-8
>> > >   Content-Language: en
>> > >   Content-Length: 2134
>> > >   Date: Thu, 01 Dec 2016 10:06:13 GMT
>> > >   Connection: close
>> > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
>> > >
>> > > There are also some java warnings in the logs, but its java and I
>> can
>> > > never tell if its a serious error when java gives a warning.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'serverCertNickFile' to
>> > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
>> > > matching property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf'
>> did not
>> > > find a matching property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'passwordClass' to 'org.apache.tomcat.util.net
>> > .jss.PlainPasswordFile'
>> > > did not find a matching property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a
>> matching
>> > > property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.tomcat.util.digester.SetPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
>> > > 'xmlValidation' to 'false' did not find a matching property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.tomcat.util.digester.SetPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
>> > > 'xmlNamespaceAware' to 'false' did not find a matching property.
>> > >
>> > >
>> > > I'm running centos7.2 x86_64 with the latest patches applied.
>> > > some package versions below
>> > > rpm -qa|egrep "ipa|tomcat"|sort
>> > > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
>> > > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
>> > >

Re: [Freeipa-users] Mapping users from AD to IPA KDC

2016-12-02 Thread Sumit Bose 
On Fri, Dec 02, 2016 at 08:30:28AM -0500, TomK wrote:
> Hey All,
> 
> I've successfully mapped the nixadmins to the external group
> nixadmins_external.  However no users in that group make it over to Free IPA
> that I can see.
> 
> ipa group-add-member nixadmins_external --external "nixadmins"
> 
> Windows AD users, 3 of them, are in the windows AD group nixadmins. However
> I can't port them over.
> 
> These accounts have UNIX attributes assigned to them.
> 
> Question that I have and can't find, should I be seeing these users in the
> mapped groups above?  ( ie within the GUI should I see any users listed from
> AD DC in nixadmins or nixadmins_external? )

no, the GUI won't show them. Calling 'id user_from_nixadmins@ad.domain'
should show that nixadmins_external is a member of that group. With
recent version of SSSD 'getent group nixadmins_external' should list the
users from nixadmins as well, older versions might miss them.

HTH

bye,
Sumit

> 
> If there is an issue and I'm just not picking it out from the debug logs,
> what to look for?  Is there anything more I need to do on the Windows side
> that I haven't found on the existing pages?
> 
> 
> # ipa group-add-member nixadmins_external --external "nixadmins"
> [member user]:
> [member group]:
>   Group name: nixadmins_external
>   Description: NIX Admins External map
>   External member: S-1-5-21-3418825849-1633701630-2291579631-1006
>   Member groups: nixadmins
>   Member of groups: nixadmins
>   Indirect Member groups: nixadmins_external
> -
> Number of members added 1
> -
> #
> 
> 
> # ipa trustdomain-find abc.xyz
>   Domain name: abc.xyz
>   Domain NetBIOS name: ABC
>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>   Domain enabled: True
> 
> Number of entries returned 1
> 
> #
> 
> 
> [realms]
>  DOM.ABC.XYZ = {
> .
> .
> .
>   auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
>   auth_to_local = DEFAULT
> }
> 
> 
> # ipa trust-fetch-domains abc.xyz
> 
> List of trust domains successfully refreshed. Use trustdomain-find command
> to list them.
> 
> 
> Number of entries returned 0
> 
> [root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
>   Domain name: abc.xyz
>   Domain NetBIOS name: ABC
>   Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
>   Domain enabled: True
> 
> Number of entries returned 1
> 
> 
> 
> # ipa trust-fetch-domains abc.xyz
> 
> List of trust domains successfully refreshed. Use trustdomain-find command
> to list them.
> 
> 
> Number of entries returned 0
> 
> #
> 
> 
> The following command successfully returns all AD objects under the Users
> cn.
> 
> # ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b
> "cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn
> 
> 
> -- 
> Cheers,
> Tom K.
> -
> 
> Living on earth is expensive, but it includes a free trip around the sun.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Mapping users from AD to IPA KDC

2016-12-02 Thread TomK 

Hey All,

I've successfully mapped the nixadmins to the external group 
nixadmins_external.  However no users in that group make it over to Free 
IPA that I can see.


ipa group-add-member nixadmins_external --external "nixadmins"

Windows AD users, 3 of them, are in the windows AD group nixadmins. 
However I can't port them over.


These accounts have UNIX attributes assigned to them.

Question that I have and can't find, should I be seeing these users in 
the mapped groups above?  ( ie within the GUI should I see any users 
listed from AD DC in nixadmins or nixadmins_external? )


If there is an issue and I'm just not picking it out from the debug 
logs, what to look for?  Is there anything more I need to do on the 
Windows side that I haven't found on the existing pages?



# ipa group-add-member nixadmins_external --external "nixadmins"
[member user]:
[member group]:
  Group name: nixadmins_external
  Description: NIX Admins External map
  External member: S-1-5-21-3418825849-1633701630-2291579631-1006
  Member groups: nixadmins
  Member of groups: nixadmins
  Indirect Member groups: nixadmins_external
-
Number of members added 1
-
#


# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1

#


[realms]
 DOM.ABC.XYZ = {
.
.
.
  auth_to_local = RULE:[1:$1@$0](^.*@ABC.XYZ$)s/@ABC.XYZ/@abc.xyz/
  auth_to_local = DEFAULT
}


# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find 
command to list them.



Number of entries returned 0

[root@idmipa01 sssd]# ipa trustdomain-find abc.xyz
  Domain name: abc.xyz
  Domain NetBIOS name: ABC
  Domain Security Identifier: S-1-5-21-1803828911-4163023034-2461700517
  Domain enabled: True

Number of entries returned 1



# ipa trust-fetch-domains abc.xyz

List of trust domains successfully refreshed. Use trustdomain-find 
command to list them.



Number of entries returned 0

#


The following command successfully returns all AD objects under the 
Users cn.


# ldapsearch -x -h 192.168.0.3 -D "t...@abc.xyz" -W -b 
"cn=users,dc=abc,dc=xyz" -s sub "(cn=*)" cn mail sn



--
Cheers,
Tom K.
-

Living on earth is expensive, but it includes a free trip around the sun.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Fujisan 
Ok so why is it still not working?
Any suggestion?

On Fri, Dec 2, 2016 at 11:20 AM, Alexander Bokovoy 
wrote:

> On pe, 02 joulu 2016, Fujisan wrote:
>
>> I'm not sure my problem is linked to this 'dedicated keytab file' with
>> FILE: before the path to keytab file.
>>
> Yes, it does. Your client log below reports that the server cannot
> communicate with you because _the_server_ is unable to read its keytab
> when initializing GENSEC backed gssapi_krb5 and thus client switches to
> SPNEGO which also fails as the server cannot work without proper keytab
> using kerberos and password-based auth is not possible.
>
>
>
>> # smbclient -d3 -L \\10.0.21.200  -U smith
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[global]"
>> lp_load_ex: changing to config backend registry
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[global]"
>> added interface eno1 ip=10.0.21.18 bcast=10.0.21.31
>> netmask=255.255.255.240
>> Client started (version 4.5.1).
>> Enter smith's password:
>> Connecting to 10.0.21.200 at port 445
>> Doing spnego session setup (blob length=74)
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178@please_ignore
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x628a8215
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x62088215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x62088215
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> On Fri, Dec 2, 2016 at 10:57 AM, Alexander Bokovoy 
>> wrote:
>>
>> On pe, 02 joulu 2016, Fujisan wrote:
>>>
>>> Alexander,

 I have now in my conf on server A and client B

 dedicated keytab file = /etc/samba/samba.keytab

 instead of

 dedicated keytab file = FILE:/etc/samba/samba.keytab


 But unfortunately, it did not solve the problem.

 It did solve for me. The offending commit in Samba is c2f5c30b
>>>
>>> $ git tag --contains c2f5c30b|grep samba
>>> samba-4.5.0
>>> samba-4.5.0rc1
>>> samba-4.5.0rc2
>>> samba-4.5.0rc3
>>> samba-4.5.1
>>>
>>> It has following code:
>>> +krb5_error_code smb_krb5_open_keytab(krb5_context context,
>>> +const char *keytab_name_req,
>>> +bool write_access,
>>> +krb5_keytab *keytab)
>>> +{
>>> +   if (keytab_name_req != NULL) {
>>> +   if (keytab_name_req[0] != '/') {
>>> +   return KRB5_KT_BADNAME;
>>> +   }
>>> +   }
>>> +
>>> +   return smb_krb5_open_keytab_relative(context,
>>> +keytab_name_req,
>>> +write_access,
>>> +keytab);
>>> +}
>>>
>>> It is the check for keytab_name_req[0] not starting from '/' what causes
>>> the break.
>>>
>>>
>>>
>>>

 On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy 
 wrote:

 On to, 01 joulu 2016, Fujisan wrote:

>
> Hello,
>
>>
>> I have upgraded a client and a freeipa server from Fedora 24 to 25
>> recently.
>> And I *cannot* access linux shares located on the F25 freeipa client
>> from
>> a
>> windows desktop.
>> But I can access linux shares located on the F25 freeipa server from
>> that
>> windows desktop.
>> And I can access linux shares located on the F24 freeipa client from
>> that
>> windows desktop.
>>
>> To be clear, I have:
>>  A/ 1 F25 freeipa server
>>  B/ 1 F25 freeipa client
>>  C/ 1 F24 freeipa client
>>  D/ 1 windows desktop
>>
>> I can access linux shares of A from D.
>> I can access linux shares of C from D.
>> I *cannot* access linux shares of B from D.
>>
>> I get these messages on B in /var/log/samba/log.10.0.21.247 :
>>
>> [2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Alexander Bokovoy 

On pe, 02 joulu 2016, Fujisan wrote:

I'm not sure my problem is linked to this 'dedicated keytab file' with
FILE: before the path to keytab file.

Yes, it does. Your client log below reports that the server cannot
communicate with you because _the_server_ is unable to read its keytab
when initializing GENSEC backed gssapi_krb5 and thus client switches to
SPNEGO which also fails as the server cannot work without proper keytab
using kerberos and password-based auth is not possible.



# smbclient -d3 -L \\10.0.21.200  -U smith
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eno1 ip=10.0.21.18 bcast=10.0.21.31 netmask=255.255.255.240
Client started (version 4.5.1).
Enter smith's password:
Connecting to 10.0.21.200 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

On Fri, Dec 2, 2016 at 10:57 AM, Alexander Bokovoy 
wrote:


On pe, 02 joulu 2016, Fujisan wrote:


Alexander,

I have now in my conf on server A and client B

dedicated keytab file = /etc/samba/samba.keytab

instead of

dedicated keytab file = FILE:/etc/samba/samba.keytab


But unfortunately, it did not solve the problem.


It did solve for me. The offending commit in Samba is c2f5c30b

$ git tag --contains c2f5c30b|grep samba
samba-4.5.0
samba-4.5.0rc1
samba-4.5.0rc2
samba-4.5.0rc3
samba-4.5.1

It has following code:
+krb5_error_code smb_krb5_open_keytab(krb5_context context,
+const char *keytab_name_req,
+bool write_access,
+krb5_keytab *keytab)
+{
+   if (keytab_name_req != NULL) {
+   if (keytab_name_req[0] != '/') {
+   return KRB5_KT_BADNAME;
+   }
+   }
+
+   return smb_krb5_open_keytab_relative(context,
+keytab_name_req,
+write_access,
+keytab);
+}

It is the check for keytab_name_req[0] not starting from '/' what causes
the break.






On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy 
wrote:

On to, 01 joulu 2016, Fujisan wrote:


Hello,


I have upgraded a client and a freeipa server from Fedora 24 to 25
recently.
And I *cannot* access linux shares located on the F25 freeipa client
from
a
windows desktop.
But I can access linux shares located on the F25 freeipa server from
that
windows desktop.
And I can access linux shares located on the F24 freeipa client from
that
windows desktop.

To be clear, I have:
 A/ 1 F25 freeipa server
 B/ 1 F25 freeipa client
 C/ 1 F24 freeipa client
 D/ 1 windows desktop

I can access linux shares of A from D.
I can access linux shares of C from D.
I *cannot* access linux shares of B from D.

I get these messages on B in /var/log/samba/log.10.0.21.247 :

[2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
(Key
table name malformed)
[2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem
keytab
- -1765328205
[2016/12/01 11:42:19.218823,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.261611,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
(Key
table name malformed)
[2016/12/01 11:42:19.261638,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Fujisan 
I'm not sure my problem is linked to this 'dedicated keytab file' with
FILE: before the path to keytab file.

# smbclient -d3 -L \\10.0.21.200  -U smith
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eno1 ip=10.0.21.18 bcast=10.0.21.31 netmask=255.255.255.240
Client started (version 4.5.1).
Enter smith's password:
Connecting to 10.0.21.200 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

On Fri, Dec 2, 2016 at 10:57 AM, Alexander Bokovoy 
wrote:

> On pe, 02 joulu 2016, Fujisan wrote:
>
>> Alexander,
>>
>> I have now in my conf on server A and client B
>>
>> dedicated keytab file = /etc/samba/samba.keytab
>>
>> instead of
>>
>> dedicated keytab file = FILE:/etc/samba/samba.keytab
>>
>>
>> But unfortunately, it did not solve the problem.
>>
> It did solve for me. The offending commit in Samba is c2f5c30b
>
> $ git tag --contains c2f5c30b|grep samba
> samba-4.5.0
> samba-4.5.0rc1
> samba-4.5.0rc2
> samba-4.5.0rc3
> samba-4.5.1
>
> It has following code:
> +krb5_error_code smb_krb5_open_keytab(krb5_context context,
> +const char *keytab_name_req,
> +bool write_access,
> +krb5_keytab *keytab)
> +{
> +   if (keytab_name_req != NULL) {
> +   if (keytab_name_req[0] != '/') {
> +   return KRB5_KT_BADNAME;
> +   }
> +   }
> +
> +   return smb_krb5_open_keytab_relative(context,
> +keytab_name_req,
> +write_access,
> +keytab);
> +}
>
> It is the check for keytab_name_req[0] not starting from '/' what causes
> the break.
>
>
>
>>
>>
>> On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy 
>> wrote:
>>
>> On to, 01 joulu 2016, Fujisan wrote:
>>>
>>> Hello,

 I have upgraded a client and a freeipa server from Fedora 24 to 25
 recently.
 And I *cannot* access linux shares located on the F25 freeipa client
 from
 a
 windows desktop.
 But I can access linux shares located on the F25 freeipa server from
 that
 windows desktop.
 And I can access linux shares located on the F24 freeipa client from
 that
 windows desktop.

 To be clear, I have:
  A/ 1 F25 freeipa server
  B/ 1 F25 freeipa client
  C/ 1 F24 freeipa client
  D/ 1 windows desktop

 I can access linux shares of A from D.
 I can access linux shares of C from D.
 I *cannot* access linux shares of B from D.

 I get these messages on B in /var/log/samba/log.10.0.21.247 :

 [2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
 krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
 (Key
 table name malformed)
 [2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
 krb5.c:627(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem
 keytab
 - -1765328205
 [2016/12/01 11:42:19.218823,  1] ../auth/gensec/gensec_start.c:
 698(gensec_start_mech)
  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
 [2016/12/01 11:42:19.261611,  1] ../source3/librpc/crypto/gse_
 krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
 (Key
 table name malformed)
 [2016/12/01 11:42:19.261638,  1] ../source3/librpc/crypto/gse_
 krb5.c:627(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Alexander Bokovoy 

On pe, 02 joulu 2016, Fujisan wrote:

Alexander,

I have now in my conf on server A and client B

dedicated keytab file = /etc/samba/samba.keytab

instead of

dedicated keytab file = FILE:/etc/samba/samba.keytab


But unfortunately, it did not solve the problem.

It did solve for me. The offending commit in Samba is c2f5c30b

$ git tag --contains c2f5c30b|grep samba
samba-4.5.0
samba-4.5.0rc1
samba-4.5.0rc2
samba-4.5.0rc3
samba-4.5.1

It has following code:
+krb5_error_code smb_krb5_open_keytab(krb5_context context,
+const char *keytab_name_req,
+bool write_access,
+krb5_keytab *keytab)
+{
+   if (keytab_name_req != NULL) {
+   if (keytab_name_req[0] != '/') {
+   return KRB5_KT_BADNAME;
+   }
+   }
+
+   return smb_krb5_open_keytab_relative(context,
+keytab_name_req,
+write_access,
+keytab);
+}

It is the check for keytab_name_req[0] not starting from '/' what causes
the break.





On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy 
wrote:


On to, 01 joulu 2016, Fujisan wrote:


Hello,

I have upgraded a client and a freeipa server from Fedora 24 to 25
recently.
And I *cannot* access linux shares located on the F25 freeipa client from
a
windows desktop.
But I can access linux shares located on the F25 freeipa server from that
windows desktop.
And I can access linux shares located on the F24 freeipa client from that
windows desktop.

To be clear, I have:
 A/ 1 F25 freeipa server
 B/ 1 F25 freeipa client
 C/ 1 F24 freeipa client
 D/ 1 windows desktop

I can access linux shares of A from D.
I can access linux shares of C from D.
I *cannot* access linux shares of B from D.

I get these messages on B in /var/log/samba/log.10.0.21.247 :

[2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
(Key
table name malformed)
[2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.218823,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.261611,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
(Key
table name malformed)
[2016/12/01 11:42:19.261638,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.261653,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.263330,  2] ../source3/auth/auth.c:315(
auth_check_ntlm_password)
 check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
with error NT_STATUS_NO_SUCH_USER
[2016/12/01 11:42:19.263380,  2] ../auth/gensec/spnego.c:720(
gensec_spnego_server_negTokenTarg)
 SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/12/01 11:42:19.270531,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
(Key
table name malformed)
[2016/12/01 11:42:19.270562,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.270586,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.313479,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
(Key
table name malformed)
[2016/12/01 11:42:19.313506,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.313523,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.315256,  2] ../source3/auth/auth.c:315(
auth_check_ntlm_password)
 check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
with error NT_STATUS_NO_SUCH_USER
[2016/12/01 11:42:19.315291,  2] ../auth/gensec/spnego.c:720(
gensec_spnego_server_negTokenTarg)
 SPNEGO login failed: NT_STATUS_NO_SUCH_USER

Also from the F25 server, I have the following when I run smbclient

f25server # smbclient -k -L

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Fujisan 
Alexander,

I have now in my conf on server A and client B

dedicated keytab file = /etc/samba/samba.keytab

instead of

dedicated keytab file = FILE:/etc/samba/samba.keytab


But unfortunately, it did not solve the problem.



On Fri, Dec 2, 2016 at 10:29 AM, Alexander Bokovoy 
wrote:

> On to, 01 joulu 2016, Fujisan wrote:
>
>> Hello,
>>
>> I have upgraded a client and a freeipa server from Fedora 24 to 25
>> recently.
>> And I *cannot* access linux shares located on the F25 freeipa client from
>> a
>> windows desktop.
>> But I can access linux shares located on the F25 freeipa server from that
>> windows desktop.
>> And I can access linux shares located on the F24 freeipa client from that
>> windows desktop.
>>
>> To be clear, I have:
>>  A/ 1 F25 freeipa server
>>  B/ 1 F25 freeipa client
>>  C/ 1 F24 freeipa client
>>  D/ 1 windows desktop
>>
>> I can access linux shares of A from D.
>> I can access linux shares of C from D.
>> I *cannot* access linux shares of B from D.
>>
>> I get these messages on B in /var/log/samba/log.10.0.21.247 :
>>
>> [2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.218823,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.261611,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.261638,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.261653,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.263330,  2] ../source3/auth/auth.c:315(
>> auth_check_ntlm_password)
>>  check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
>> with error NT_STATUS_NO_SUCH_USER
>> [2016/12/01 11:42:19.263380,  2] ../auth/gensec/spnego.c:720(
>> gensec_spnego_server_negTokenTarg)
>>  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>> [2016/12/01 11:42:19.270531,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.270562,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.270586,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.313479,  1] ../source3/librpc/crypto/gse_
>> krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed
>> (Key
>> table name malformed)
>> [2016/12/01 11:42:19.313506,  1] ../source3/librpc/crypto/gse_
>> krb5.c:627(gse_krb5_get_server_keytab)
>>  ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
>> - -1765328205
>> [2016/12/01 11:42:19.313523,  1] ../auth/gensec/gensec_start.c:
>> 698(gensec_start_mech)
>>  Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>> [2016/12/01 11:42:19.315256,  2] ../source3/auth/auth.c:315(
>> auth_check_ntlm_password)
>>  check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
>> with error NT_STATUS_NO_SUCH_USER
>> [2016/12/01 11:42:19.315291,  2] ../auth/gensec/spnego.c:720(
>> gensec_spnego_server_negTokenTarg)
>>  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
>>
>> Also from the F25 server, I have the following when I run smbclient
>>
>> f25server # smbclient -k -L f25desktop.mydomain
>> lp_load_ex: changing to config backend registry
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> But if i run it with a F24 desktop, it works:
>>
>> f25server # smbclient -k -L f24desktop.mydomain
>> lp_load_ex: changing to config backend registry
>> Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.7]
>>
>>Sharename   Type  Comment
>>-     ---
>>IPC$IPC   IPC Service (Samba Server Version 4.4.7)
>>dataDisk  /data on f24desktop
>>data2   Disk  /data2 on f24desktop
>>data3   Disk  /data3 on f24desktop
>>backup  Disk  /backup on f24desktop
>> [...]
>>

Re: [Freeipa-users] cannot access to freeipa client's linux share from windows

2016-12-02 Thread Alexander Bokovoy 

On to, 01 joulu 2016, Fujisan wrote:

Hello,

I have upgraded a client and a freeipa server from Fedora 24 to 25 recently.
And I *cannot* access linux shares located on the F25 freeipa client from a
windows desktop.
But I can access linux shares located on the F25 freeipa server from that
windows desktop.
And I can access linux shares located on the F24 freeipa client from that
windows desktop.

To be clear, I have:
 A/ 1 F25 freeipa server
 B/ 1 F25 freeipa client
 C/ 1 F24 freeipa client
 D/ 1 windows desktop

I can access linux shares of A from D.
I can access linux shares of C from D.
I *cannot* access linux shares of B from D.

I get these messages on B in /var/log/samba/log.10.0.21.247 :

[2016/12/01 11:42:19.218759,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed (Key
table name malformed)
[2016/12/01 11:42:19.218800,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.218823,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.261611,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed (Key
table name malformed)
[2016/12/01 11:42:19.261638,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.261653,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.263330,  2] ../source3/auth/auth.c:315(
auth_check_ntlm_password)
 check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
with error NT_STATUS_NO_SUCH_USER
[2016/12/01 11:42:19.263380,  2] ../auth/gensec/spnego.c:720(
gensec_spnego_server_negTokenTarg)
 SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/12/01 11:42:19.270531,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed (Key
table name malformed)
[2016/12/01 11:42:19.270562,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.270586,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.313479,  1] ../source3/librpc/crypto/gse_
krb5.c:534(fill_mem_keytab_from_dedicated_keytab)
 ../source3/librpc/crypto/gse_krb5.c:534: smb_krb5_open_keytab failed (Key
table name malformed)
[2016/12/01 11:42:19.313506,  1] ../source3/librpc/crypto/gse_
krb5.c:627(gse_krb5_get_server_keytab)
 ../source3/librpc/crypto/gse_krb5.c:627: Error! Unable to set mem keytab
- -1765328205
[2016/12/01 11:42:19.313523,  1] ../auth/gensec/gensec_start.c:
698(gensec_start_mech)
 Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[2016/12/01 11:42:19.315256,  2] ../source3/auth/auth.c:315(
auth_check_ntlm_password)
 check_ntlm_password:  Authentication for user [smith] -> [smith] FAILED
with error NT_STATUS_NO_SUCH_USER
[2016/12/01 11:42:19.315291,  2] ../auth/gensec/spnego.c:720(
gensec_spnego_server_negTokenTarg)
 SPNEGO login failed: NT_STATUS_NO_SUCH_USER

Also from the F25 server, I have the following when I run smbclient

f25server # smbclient -k -L f25desktop.mydomain
lp_load_ex: changing to config backend registry
session setup failed: NT_STATUS_LOGON_FAILURE

But if i run it with a F24 desktop, it works:

f25server # smbclient -k -L f24desktop.mydomain
lp_load_ex: changing to config backend registry
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.4.7]

   Sharename   Type  Comment
   -     ---
   IPC$IPC   IPC Service (Samba Server Version 4.4.7)
   dataDisk  /data on f24desktop
   data2   Disk  /data2 on f24desktop
   data3   Disk  /data3 on f24desktop
   backup  Disk  /backup on f24desktop
[...]


net conf list on the f25desktop gives:

f25desktop # net conf list
[global]
   workgroup = MYDOMAIN
   realm = MYDOMAIN
   netbios name = F25SERVER
   server string = Samba Server Version %v
   kerberos method = dedicated keytab
   dedicated keytab file = FILE:/etc/samba/samba.keytab

There seem to be a change in Samba 4.5.0 which uses 'dedicated keytab
file' value as it is when constructing a memory keytab. As result,
libkrb5 is confused and does not know which keytab processing routine to
use (MEMORY:FILE:/etc/samba/samba.keytab is invalid).

You can replace the value by removing FILE: right now:

net conf setparm