Hello,
I've personally been using FreeIPA for some time and I love it
immensely. I thought I'd start a post here due to the direction my
troubleshooting has gone instead of the Samba mailing list. Allow me to
explain what I've done, why I've done it and then the problem I'm having.
I just recently started working for a school and the school has some
Windows labs. A problem that has come to my attention is that the OpenLDAP
to Samba3 NT4 domain they've been using for years is no longer compatible
with Windows 10. To dispel any illusion, I'm not trying to get the NT4
domain working nice with Windows 10. Additionally Samba4 has changed its
design structure such that OpenLDAP, or really any LDAP server except
Samba4's internal LDAP server, will no longer work for the Active Directory.
The school would like the Windows machines in the labs to authenticate
students via their OpenLDAP credentials. I am open to alternatives but the
closest thing I found was adding local users on each Windows workstation
and having them authenticate to the FreeIPA server. The problem here is
that users will continually be added and deleted. The Samba project would
have us go all in with Samba4's internal LDAP server. While I'm not
directly knocking that, since from my testing it seems to be quite
functional, the upheaval would be tremendous. Fortunately we were already
looking into switching to 389 before I came on so I've been touting the
possibility of replacing OpenLDAP with FreeIPA before this Samba4 issue. A
solution I thought should work is to use a trust between a FreeIPA (IPA)
and a Samba4 Active Directory (AD). I've since configured both and have
created that trust.
I have a Windows 10 machine connected to the Samba4 domain. When I
attempt to logon with an account from the IPA domain I am presented with
"Insufficient system resources exist to complete the requested service." At
first I took this message at face value and increased the memory of the
workstation from which I'm trying to logon. There are few results from a
Google search about this error without focusing on local memory. After
reading and troubleshooting I believe this is a failure may be in the
Kerberos InitializeSecurityContext function that's producing
SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and
seemingly not coming from Samba4 AD.
A couple things I've noticed; when I attempt to login as user@ipa if
the password is wrong Windows tell me my password is incorrect. If I use
the correct password I'm presented with that "Insufficient system resources
exist to complete the requested service." The Event Viewer only shows me a
generic logon error message. When I look at the Kerberos logs on both
systems I see on AD that the 'Realm not local to KDC' and a 'No matching
key in entry' but on IPA I see 'Additional pre-authentication required',
then AS_REQ ISSUE and finally TGS_REQ ISSUE.
I continued to do a tcpdump on port 88 to see who was directly
communicating to the FreeIPA server and I found that the Windows
workstation was making a direct Kerberos request. I then expanded my
tcpdump to include all traffic from the workstation and upon another logon
attempt only port 88 was used to communicate to FreeIPA. I therefore think
that this is a Kerberos specific problem and not necessarily a Samba4
problem. Unfortunately I'm not knowledgeable enough in Kerberos to identify
what's going on.
I don't know what information I should present, such as configs or
logs. Whatever is needed I can provide. I greatly appreciate any help,
advice or potentially other non management nightmare solutions! Thank you
all very much!
[root@freeipa-dev log]# ipa trustdomain-find ad.school.edu
Domain name: ad.school.edu
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-276971437-2632767696-819257926
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
--
Vex
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
