Re: [Freeipa-users] Samba Server setup

2016-09-21 Thread Alexander Bokovoy 

On Wed, 21 Sep 2016, Brook, Andy [CRI] wrote:

On 9/16/16, 12:02 PM, "Alexander Bokovoy"  wrote:

   On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
   >You can replace actual hostnames/realm names/IP addresses by something 
more generic
   >in the output when sending to the list, but please do it consistently.
   >
   >I’m sorry. I thought I had been consistent when making changes, but
   >from your response, it looks like I wasn’t. I’m sorry about that. I got
   >yelled at by our security team last time we sent logs to a public list
   >that had any type of identifiable information in them, so it’s sort of
   >a new process for me. I think I have it down now.
   >
   >The results of the commands are here: http://pastebin.com/PRwr7wv6
   So IPA side works fine -- on IPA client you can kinit as AD user and
   then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
   request a service ticket to cifs/... service. That's good.

   You need to identify what happens on AD side. A possible issue is that
   name suffix routing to IPA domain is disabled.

   Can you provide output of netdom.exe run on Windows side:

 netdom trust addom.domain /namesuffixes: ipa.domain

   You should get something like example 28 on the page
   https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx

Thank you for this. I went to run the command and kept getting an
“Incorrect parameter” error. After that I talked to one of our Active
Directory admins and he mentioned that we are working on resolving a
disjoint namespace error on addom. I don’t understand enough about it,
but do know that it can cause issues with Kerberos authentication
across domains. That should get fixed soon. Once that gets fixed, I’ll
test again.

I have one more related question. The instruction page states that
NTLMSSP authentication isn’t working as of yet, as well as you
mentioned it earlier in this thread. Is there a bug or feature request
that is tracking that?

https://fedorahosted.org/sssd/ticket/2012 is a tracker. We have
gss-ntlmssp implemented but it depends on winbindd and there are things
which are not done yet in making sssd/winbindd co-working.

We had few talks about possible ways to integrate around that topic at
SambaXP 2016 conference:
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Simo_Sorce-SambaAndLinuxDistributionsLetsIntegrateBetter.pdf
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Sumit_Bose-WinbindAndSSSDCanTheyBeFriends/

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-21 Thread Brook, Andy [CRI] 
On 9/16/16, 12:02 PM, "Alexander Bokovoy"  wrote:

On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
>You can replace actual hostnames/realm names/IP addresses by something 
more generic
>in the output when sending to the list, but please do it consistently.
>
>I’m sorry. I thought I had been consistent when making changes, but
>from your response, it looks like I wasn’t. I’m sorry about that. I got
>yelled at by our security team last time we sent logs to a public list
>that had any type of identifiable information in them, so it’s sort of
>a new process for me. I think I have it down now.
>
>The results of the commands are here: http://pastebin.com/PRwr7wv6
So IPA side works fine -- on IPA client you can kinit as AD user and
then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
request a service ticket to cifs/... service. That's good.

You need to identify what happens on AD side. A possible issue is that
name suffix routing to IPA domain is disabled.

Can you provide output of netdom.exe run on Windows side:

  netdom trust addom.domain /namesuffixes: ipa.domain

You should get something like example 28 on the page
https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx

Thank you for this. I went to run the command and kept getting an “Incorrect 
parameter” error. After that I talked to one of our Active Directory admins and 
he mentioned that we are working on resolving a disjoint namespace error on 
addom. I don’t understand enough about it, but do know that it can cause issues 
with Kerberos authentication across domains. That should get fixed soon. Once 
that gets fixed, I’ll test again. 

I have one more related question. The instruction page states that NTLMSSP 
authentication isn’t working as of yet, as well as you mentioned it earlier in 
this thread. Is there a bug or feature request that is tracking that? 

Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of 
Chicago
T: 773-834-0458 | http://cri.uchicago.edu




This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-16 Thread Alexander Bokovoy 

On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:

   You can replace actual hostnames/realm names/IP addresses by something more 
generic
   in the output when sending to the list, but please do it consistently.

I’m sorry. I thought I had been consistent when making changes, but
from your response, it looks like I wasn’t. I’m sorry about that. I got
yelled at by our security team last time we sent logs to a public list
that had any type of identifiable information in them, so it’s sort of
a new process for me. I think I have it down now.

The results of the commands are here: http://pastebin.com/PRwr7wv6

So IPA side works fine -- on IPA client you can kinit as AD user and
then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
request a service ticket to cifs/... service. That's good.

You need to identify what happens on AD side. A possible issue is that
name suffix routing to IPA domain is disabled.

Can you provide output of netdom.exe run on Windows side:

 netdom trust addom.domain /namesuffixes: ipa.domain

You should get something like example 28 on the page
https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-16 Thread Brook, Andy [CRI] 
On 9/16/16, 12:04 AM, "Alexander Bokovoy"  wrote:

On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>On 9/15/16, 1:06 PM, "Alexander Bokovoy"  wrote:
>
>On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>>All,
>>  I’m working on setting up Samba to serve files from a server 
attached
>>  to our IPA domain. I followed the directions in
>>  
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
>>  Everything seems to work and I can access the files from another 
RHEL
>>  server attached to the same domain using a Kerberos ticket from a
>>  user from the trusted AD domain. However, I can’t access this share
>>  from a windows client that is also attached to the trusted AD 
domain.
>>
>>My smb.conf is as follows:
>>[global]
>>workgroup = IPA
>>realm = IPA.DOMAIN
>>kerberos method = dedicated keytab
>>dedicated keytab file = FILE:/etc/samba/samba.keytab
>>log file = /var/log/samba/log.%m
>>log level = 3
>>security = ads
>>load printers = no
>>disable spoolss = yes
>>map to guest = Never
>>restrict anonymous = 2
>>
>>[spacetest]
>>path = /var/www
>>writable = yes
>>browsable = yes
>>
>>I put the keytab in place from the cifs service from the IPA server.
>>
>>I feel like I’m missing something small, but I can’t seem to find it.
>>Logs from samba are here: http://pastebin.com/aMDXfR78
>These logs show that your Windows client did not use Kerberos but tried
>to authenticate with password using NTLMSSP. This is not supported yet,
>as written on the page you used for the setup guidance.
>
>You need to find out why Windows client didn't use Kerberos.
>Is your trust to AD really working?
>
>We’re authenticating AD users on the hosts that are connected to IPA.
>We’re able to create external groups and associate them with internal
>groups for HBAC and sudoers rules. Is there something else I should
>check to see if the trust is working? It’s entirely possible I missed
>something somewhere in the setup, but I don’t think I did.
Start by listing your configuration. Show:
 - ipa service-show cifs/samba.server.host (using FQDN hostname)

 - ipa trust-show ad.domain

 - kinit user@AD.DOMAIN ;  KRB5_TRACE=/dev/stderr smbclient -k 
//samba.server.host/share

 - Try to access \\samba.server.host\share from Windows host and then
   show 'klist' in the Windows shell, or alternatively,

 - if you are using Windows Server 2012 or later, show output of
   'klist get cifs/samba.server.host@IPA.DOMAIN'

 - show any lines related to use user@AD.DOMAIN and
   cifs/samba.server.host from /var/log/krb5kdc.log on IPA master

You can replace actual hostnames/realm names/IP addresses by something more 
generic
in the output when sending to the list, but please do it consistently.

I’m sorry. I thought I had been consistent when making changes, but from your 
response, it looks like I wasn’t. I’m sorry about that. I got yelled at by our 
security team last time we sent logs to a public list that had any type of 
identifiable information in them, so it’s sort of a new process for me. I think 
I have it down now. 

The results of the commands are here: http://pastebin.com/PRwr7wv6


Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of 
Chicago
T: 773-834-0458 | http://cri.uchicago.edu




This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-15 Thread Alexander Bokovoy 

On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:

On 9/15/16, 1:06 PM, "Alexander Bokovoy"  wrote:

   On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
   >All,
   >  I’m working on setting up Samba to serve files from a server attached
   >  to our IPA domain. I followed the directions in
   >  
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
   >  Everything seems to work and I can access the files from another RHEL
   >  server attached to the same domain using a Kerberos ticket from a
   >  user from the trusted AD domain. However, I can’t access this share
   >  from a windows client that is also attached to the trusted AD domain.
   >
   >My smb.conf is as follows:
   >[global]
   >workgroup = IPA
   >realm = IPA.DOMAIN
   >kerberos method = dedicated keytab
   >dedicated keytab file = FILE:/etc/samba/samba.keytab
   >log file = /var/log/samba/log.%m
   >log level = 3
   >security = ads
   >load printers = no
   >disable spoolss = yes
   >map to guest = Never
   >restrict anonymous = 2
   >
   >[spacetest]
   >path = /var/www
   >writable = yes
   >browsable = yes
   >
   >I put the keytab in place from the cifs service from the IPA server.
   >
   >I feel like I’m missing something small, but I can’t seem to find it.
   >Logs from samba are here: http://pastebin.com/aMDXfR78
   These logs show that your Windows client did not use Kerberos but tried
   to authenticate with password using NTLMSSP. This is not supported yet,
   as written on the page you used for the setup guidance.

   You need to find out why Windows client didn't use Kerberos.
   Is your trust to AD really working?

We’re authenticating AD users on the hosts that are connected to IPA.
We’re able to create external groups and associate them with internal
groups for HBAC and sudoers rules. Is there something else I should
check to see if the trust is working? It’s entirely possible I missed
something somewhere in the setup, but I don’t think I did.

Start by listing your configuration. Show:
- ipa service-show cifs/samba.server.host (using FQDN hostname)

- ipa trust-show ad.domain

- kinit user@AD.DOMAIN ;  KRB5_TRACE=/dev/stderr smbclient -k 
//samba.server.host/share

- Try to access \\samba.server.host\share from Windows host and then
  show 'klist' in the Windows shell, or alternatively,

- if you are using Windows Server 2012 or later, show output of
  'klist get cifs/samba.server.host@IPA.DOMAIN'

- show any lines related to use user@AD.DOMAIN and
  cifs/samba.server.host from /var/log/krb5kdc.log on IPA master

You can replace actual hostnames/realm names/IP addresses by something more 
generic
in the output when sending to the list, but please do it consistently.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-15 Thread Brook, Andy [CRI] 
On 9/15/16, 1:06 PM, "Alexander Bokovoy"  wrote:

On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
>All,
>  I’m working on setting up Samba to serve files from a server attached
>  to our IPA domain. I followed the directions in
>  
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
>  Everything seems to work and I can access the files from another RHEL
>  server attached to the same domain using a Kerberos ticket from a
>  user from the trusted AD domain. However, I can’t access this share
>  from a windows client that is also attached to the trusted AD domain.
>
>My smb.conf is as follows:
>[global]
>workgroup = IPA
>realm = IPA.DOMAIN
>kerberos method = dedicated keytab
>dedicated keytab file = FILE:/etc/samba/samba.keytab
>log file = /var/log/samba/log.%m
>log level = 3
>security = ads
>load printers = no
>disable spoolss = yes
>map to guest = Never
>restrict anonymous = 2
>
>[spacetest]
>path = /var/www
>writable = yes
>browsable = yes
>
>I put the keytab in place from the cifs service from the IPA server.
>
>I feel like I’m missing something small, but I can’t seem to find it.
>Logs from samba are here: http://pastebin.com/aMDXfR78
These logs show that your Windows client did not use Kerberos but tried
to authenticate with password using NTLMSSP. This is not supported yet,
as written on the page you used for the setup guidance.

You need to find out why Windows client didn't use Kerberos.
Is your trust to AD really working?

We’re authenticating AD users on the hosts that are connected to IPA. We’re 
able to create external groups and associate them with internal groups for HBAC 
and sudoers rules. Is there something else I should check to see if the trust 
is working? It’s entirely possible I missed something somewhere in the setup, 
but I don’t think I did. 

Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of 
Chicago
T: 773-834-0458 | http://cri.uchicago.edu




This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-15 Thread Alexander Bokovoy 

On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:

All,
 I’m working on setting up Samba to serve files from a server attached
 to our IPA domain. I followed the directions in
 https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA.
 Everything seems to work and I can access the files from another RHEL
 server attached to the same domain using a Kerberos ticket from a
 user from the trusted AD domain. However, I can’t access this share
 from a windows client that is also attached to the trusted AD domain.

My smb.conf is as follows:
[global]
   workgroup = IPA
   realm = IPA.DOMAIN
   kerberos method = dedicated keytab
   dedicated keytab file = FILE:/etc/samba/samba.keytab
   log file = /var/log/samba/log.%m
   log level = 3
   security = ads
   load printers = no
   disable spoolss = yes
   map to guest = Never
   restrict anonymous = 2

[spacetest]
   path = /var/www
   writable = yes
   browsable = yes

I put the keytab in place from the cifs service from the IPA server.

I feel like I’m missing something small, but I can’t seem to find it.
Logs from samba are here: http://pastebin.com/aMDXfR78

These logs show that your Windows client did not use Kerberos but tried
to authenticate with password using NTLMSSP. This is not supported yet,
as written on the page you used for the setup guidance.

You need to find out why Windows client didn't use Kerberos.
Is your trust to AD really working?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-15 Thread Alan Latteri 
I too am running into this problem.  Looking forward to some feedback regarding 
this issue.

> On Sep 15, 2016, at 7:04 AM, Brook, Andy [CRI]  
> wrote:
> 
> All,
>  I’m working on setting up Samba to serve files from a server attached to our 
> IPA domain. I followed the directions in 
> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA. 
> Everything seems to work and I can access the files from another RHEL server 
> attached to the same domain using a Kerberos ticket from a user from the 
> trusted AD domain. However, I can’t access this share from a windows client 
> that is also attached to the trusted AD domain.
> 
> My smb.conf is as follows:
> [global]
>workgroup = IPA
>realm = IPA.DOMAIN
>kerberos method = dedicated keytab
>dedicated keytab file = FILE:/etc/samba/samba.keytab
>log file = /var/log/samba/log.%m
>log level = 3
>security = ads
>load printers = no
>disable spoolss = yes
>map to guest = Never
>restrict anonymous = 2
> 
> [spacetest]
>path = /var/www
>writable = yes
>browsable = yes
> 
> I put the keytab in place from the cifs service from the IPA server.
> 
> I feel like I’m missing something small, but I can’t seem to find it. Logs 
> from samba are here: http://pastebin.com/aMDXfR78
> 
> Andy Brook
> Sr. Systems Administrator | Center for Research Informatics | University of 
> Chicago
> T: 773-834-0458 | http://cri.uchicago.edu
> 
> 
> This e-mail is intended only for the use of the individual or entity to which
> it is addressed and may contain information that is privileged and 
> confidential.
> If the reader of this e-mail message is not the intended recipient, you are 
> hereby notified that any dissemination, distribution or copying of this
> communication is prohibited. If you have received this e-mail in error, 
> please 
> notify the sender and destroy all copies of the transmittal. 
> 
> Thank you
> University of Chicago Medicine and Biological Sciences 
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Samba Server setup

2016-09-15 Thread Brook, Andy [CRI] 
All,
  I’m working on setting up Samba to serve files from a server attached to our 
IPA domain. I followed the directions in 
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA. 
Everything seems to work and I can access the files from another RHEL server 
attached to the same domain using a Kerberos ticket from a user from the 
trusted AD domain. However, I can’t access this share from a windows client 
that is also attached to the trusted AD domain.

My smb.conf is as follows:
[global]
workgroup = IPA
realm = IPA.DOMAIN
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
log file = /var/log/samba/log.%m
log level = 3
security = ads
load printers = no
disable spoolss = yes
map to guest = Never
restrict anonymous = 2

[spacetest]
path = /var/www
writable = yes
browsable = yes

I put the keytab in place from the cifs service from the IPA server.

I feel like I’m missing something small, but I can’t seem to find it. Logs from 
samba are here: http://pastebin.com/aMDXfR78

Andy Brook
Sr. Systems Administrator | Center for Research Informatics | University of 
Chicago
T: 773-834-0458 | http://cri.uchicago.edu


This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project