Re: [Freeipa-users] FreeIPA as Samba Backend, Existing Users Fail

2017-01-13 Thread Alan Latteri 
what steps did you use to connect samba to ipa?


> On Jan 11, 2017, at 1:00 PM, Armaan Esfahani 
>  wrote:
> 
> Hi, I have setup a Samba server to use FreeIPA as a password backend, however 
> whenever I try to use existing users to login I get 
> “NT_STATUS_LOGON_FAILURE”. 
> Looking at the sssd_nss log on my ipa server, I get the following error “(Wed 
> Jan 11 15:56:11 2017) [sssd[nss]] [fill_sid] (0x0020): Missing SID.”  On all 
> existing accounts, whereas all new accounts function properly (after 
> resetting their passwords).
>  
> Anyone have any ideas?
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users 
> 
> Go to http://freeipa.org  for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Alan Latteri 
Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is 
the version provided.
Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is 
out of our control.

Alan

> On Jan 3, 2017, at 8:33 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> 
> Alan Latteri wrote:
>> Further investigation.
>> 
>> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is 
>> missing, and therefore initial setup will fail unless manual creation of 
>> /etc/krb5.conf.d/
>> Maybe the install script for the client can be updated to check for and 
>> create?
> 
> Is there a reason you're running 7.3 packages on a 7.2 system? I suspect
> that is the problem. AFAIU in 7.3 this directory is provided by krb5-libs.
> 
> Is there some feature you need in the 4.4 client installer on 7.2?
> 
> rob
> 
>> 
>> Thanks,
>> Alan
>> 
>>> On Jan 3, 2017, at 1:44 PM, Alan Latteri <a...@instinctualsoftware.com> 
>>> wrote:
>>> 
>>> Thanks Rob.
>>> 
>>> /etc/krb5.conf.d/  was in fact missing from the client, which is still on 
>>> CentOS 7.2 for reasons out of our control.
>>> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have 
>>> the /etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 
>>> client requires that dir but is not making it on upgrade and the cause of 
>>> the failure?
>>> 
>>> Alan
>>> 
>>>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>>>> 
>>>> Alan Latteri wrote:
>>>>> Log is attached.
>>>> 
>>>> Look and see if /etc/krb5.conf.d/ and
>>>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>>>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>>>> filesystem perms are an issue but who knows.
>>>> 
>>>> You can also brute force things using strace -f to find out exactly what
>>>> can't be read.
>>>> 
>>>> rob
>>>> 
>>> 
>>> 
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Alan Latteri 
Further investigation.

On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is 
missing, and therefore initial setup will fail unless manual creation of 
/etc/krb5.conf.d/
Maybe the install script for the client can be updated to check for and create?

Thanks,
Alan

> On Jan 3, 2017, at 1:44 PM, Alan Latteri <a...@instinctualsoftware.com> wrote:
> 
> Thanks Rob.
> 
> /etc/krb5.conf.d/  was in fact missing from the client, which is still on 
> CentOS 7.2 for reasons out of our control.
> Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the 
> /etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 client 
> requires that dir but is not making it on upgrade and the cause of the 
> failure?
> 
> Alan
> 
>> On Jan 3, 2017, at 1:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>> 
>> Alan Latteri wrote:
>>> Log is attached.
>> 
>> Look and see if /etc/krb5.conf.d/ and
>> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
>> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
>> filesystem perms are an issue but who knows.
>> 
>> You can also brute force things using strace -f to find out exactly what
>> can't be read.
>> 
>> rob
>> 
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Alan Latteri 
Thanks Rob.

/etc/krb5.conf.d/  was in fact missing from the client, which is still on 
CentOS 7.2 for reasons out of our control.
Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the 
/etc/krb5.conf.d/ directory, but are running fine.  So maybe the 4.4 client 
requires that dir but is not making it on upgrade and the cause of the failure?

Alan

> On Jan 3, 2017, at 1:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> 
> Alan Latteri wrote:
>> Log is attached.
> 
> Look and see if /etc/krb5.conf.d/ and
> /var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
> for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
> filesystem perms are an issue but who knows.
> 
> You can also brute force things using strace -f to find out exactly what
> can't be read.
> 
> rob
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-02 Thread Alan Latteri 
I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa 
to 4.4.  On some clients they failed to re-authenticate post upgrade.  I then 
did an 
ipa-client-install —uninstall , and then tried re-joining to IPA server with 
ipa-client-install --mkhomedir --force-ntpd --force-join.

Now I am getting the below error, and I have no idea how to recover.  Firewall 
is disabled.

Thanks,
Alan

User authorized to enroll computers: admin
Password for admin@XXX.LOCAL: 
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be 
read while initializing Kerberos 5 library 

Installation failed. Rolling back changes.
IPA client is not configured on this system.


[root@troll ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor 
preset: enabled)
   Active: inactive (dead)

Installed Packages
ipa-client.x86_64
4.4.0-14.el7.centos @updates 
ipa-client-common.noarch 
4.4.0-14.el7.centos @updates 
ipa-common.noarch
4.4.0-14.el7.centos @updates 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade to 4.4.0 Breaks login.

2016-12-27 Thread Alan Latteri 
Can you provide an example of what file this entry should go into and what it 
look like in file? Do you have to do this on the client side/ server or both?

Thanks,
Alan

> On Dec 23, 2016, at 4:43 AM, Dan Kemp  wrote:
> 
> That did it, thanks! I could have sworn I tried that, maybe I ended up 
> putting it in in the wrong section. I wish whatever changed going from 4.2.0 
> to 4.4.0 that made SELinux required, took the selinux enforcement level into 
> account and updated the file accordingly.
> 
> 
> On Fri, Dec 23, 2016 at 4:31 AM, Alexander Bokovoy  > wrote:
> On to, 22 joulu 2016, Dan Kemp wrote:
> Hello,
> 
> I recently ran an upgrade of my freeipa servers, and most of the clients to
> 4.4.0 (Current with CentOS 7 repos) from version 4.2.0. After the install
> and server update, I can no longer log in to update clients via ssh. Login
> to non-update clients works as before.
> 
> The SSH connections fail with:
> 
> Connection closed by UNKNOWN
> 
> I ran sssd with debugging on a failing 4.4.0 client and got this error log:
> 
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [ldb] (0x4000): commit
> ldb transaction (nesting: 2)
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [ldb] (0x4000): commit
> ldb transaction (nesting: 1)
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [ldb] (0x4000): commit
> ldb transaction (nesting: 0)
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]]
> [selinux_child_create_buffer] (0x4000): buffer size: 45
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [child_handler_setup]
> (0x2000): Setting up signal handler up for pid [437]
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [child_handler_setup]
> (0x2000): Signal handler set up for pid [437]
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [sdap_process_result]
> (0x2000): Trace: sh[0x560c04c37790], connected[1], ops[(nil)],
> ldap[0x560c04c32d60]
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [sdap_process_result]
> (0x2000): Trace: end of ldap_result list
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [write_pipe_handler]
> (0x0400): All data has been sent!
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [main] (0x0400):
> selinux_child started.
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [main] (0x2000):
> Running with effective IDs: [0][0].
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [main] (0x2000):
> Running with real IDs [0][0].
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [main] (0x0400):
> context initialized
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [unpack_buffer]
> (0x2000): seuser length: 12
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [unpack_buffer]
> (0x2000): seuser: unconfined_u
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [unpack_buffer]
> (0x2000): mls_range length: 14
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [unpack_buffer]
> (0x2000): mls_range: s0-s0:c0.c1023
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [unpack_buffer]
> (0x2000): username length: 7
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [unpack_buffer]
> (0x2000): username: ipauser
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [main] (0x0400):
> performing selinux operations
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [sss_semanage_init]
> (0x0020): SELinux policy not managed
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [get_seuser]
> (0x0020): Cannot create SELinux handle
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437
> [seuser_needs_update] (0x2000): get_seuser: ret: 5 seuser: unknown mls:
> unknown
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [sss_semanage_init]
> (0x0020): SELinux policy not managed
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [set_seuser]
> (0x0020): Cannot init SELinux management
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [main] (0x0020):
> Cannot set SELinux login context.
> (Wed Dec 20 20:38:13 2016) [[sssd[selinux_child[437 [main] (0x0020):
> selinux_child failed!
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [read_pipe_handler]
> (0x0400): EOF received, client finished
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [selinux_child_done]
> (0x0020): selinux_child_parse_response failed: [22][Invalid argument]
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [dp_req_done] (0x0400):
> DP Request [PAM SELinux #3]: Request handler finished [0]: Success
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [_dp_req_recv]
> (0x0400): DP Request [PAM SELinux #3]: Receiving request data.
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [dp_req_destructor]
> (0x0400): DP Request [PAM SELinux #3]: Request removed.
> (Wed Dec 20 20:38:13 2016) [sssd[be[domain.local]]] [dp_req_destructor]
> (0x0400): Number of active DP request: 0
> (Wed Dec 20 20:38:13 2016)

Re: [Freeipa-users] FreeIPA and Samba

2016-10-11 Thread Alan Latteri 
I am trying to get this to work, but our Samba server is not the same machine 
as out IPA server, and these instructions seem to assume that.  Any ideas?  All 
I need is the 1 windows machine in our network to be able to access our linux 
based server, using the same user/pass as that of our IPA authenticated linux 
machines.


> On Oct 10, 2016, at 1:35 PM, Степаненко Алексей  
> wrote:
> 
> I read again the topic 
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP
>  
> 
> It works exactly as I wanted
> 
>  ipa-adtrust-install created next configuration:
> $ net conf list
> [global]
> workgroup = WORKGROUP
> netbios name = SMB
> realm = GW.SPB.RU
> kerberos method = dedicated keytab
> dedicated keytab file = FILE:/etc/samba/samba.keytab 
> 
> create krb5 conf = no
> security = user
> domain master = yes
> domain logons = yes
> log level = 1
> max log size = 10
> log file = /var/log/samba/log.%m
> passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
> disable spoolss = yes
> ldapsam:trusted = yes
> ldap ssl = off
> ldap suffix = dc=gw,dc=spb,dc=ru
> ldap user suffix = cn=users,cn=accounts
> ldap group suffix = cn=groups,cn=accounts
> ldap machine suffix = cn=computers,cn=accounts
> rpc_server:epmapper = external
> rpc_server:lsarpc = external
> rpc_server:lsass = external
> rpc_server:lsasd = external
> rpc_server:samr = external
> rpc_server:netlogon = external
> rpc_server:tcpip = yes
> rpc_daemon:epmd = fork
> rpc_daemon:lsasd = fork
> 
> But I don't understand why it wasn't put to smb.conf directly.
> 
> The second problem is 'passdb backend'. I didn't find any documentation about 
> this module. An attempt to replace a file socket on net connection was 
> failed. And I had to make LDAP replication. It was easy, but " 
> ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not 
> only ldap-server. I need to continue to read documentation. However the 
> problem was solved. 
> 
> 06.10.2016 23:51, Степаненко Алексей пишет:
>> Thank you for your reply. 
>> 
>> I've got Samba server for a company, accounts are created by hand. Clients 
>> are different windows or linux desktops. 
>> 
>> I want to install FreeIPA and have one area for managing accounts (SMB, 
>> SSH-access for others servers). Now, I prepare clean samba installation for 
>> testing. It would be great to use FreeIPA as authorization server for samba. 
>> 
>> I was looking for information about samba + freeIPA, but I found only this 
>> document. Maybe, I miss obvious things. 
>> 
>> 
>> 06.10.2016 20:31, Loris Santamaria пишет: 
>>> The document you are linking to explains how to configure a samba file 
>>> server in a freeipa domain, which is one of many ways you can configure 
>>> and use a samba server. 
>>> 
>>> What do you want to achieve with samba, and what is your current setup? 
>>> 
>>> 
>>> El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió: 
 Hello. 
 
 I've read the topic about FreeIPA and SAMBA 
 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit 
  
 h_IPA 
 
 If I understand clearly, samba's client must be present in 
 FreeIPA  AD. 
 Unfortunately, it does not work for me. I can't join some work 
 desktops 
 to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has 
 ldap support 
 
   ldap admin dn 
   ldap group suffix 
   ldap idmap suffix 
   ldap machine suffix 
   ldap passwd sync 
   ldap suffix 
   ldap user suffix 
 
 Does it work with IPA ? 
 
 Thanks. 
 
>> 
>> 
>> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba

2016-10-10 Thread Alan Latteri 
Nice, I think that page may also solve my problem.  Going to try it soon.

> On Oct 10, 2016, at 1:35 PM, Степаненко Алексей  
> wrote:
> 
> I read again the topic 
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP
>  
> 
> It works exactly as I wanted
> 
>  ipa-adtrust-install created next configuration:
> $ net conf list
> [global]
> workgroup = WORKGROUP
> netbios name = SMB
> realm = GW.SPB.RU
> kerberos method = dedicated keytab
> dedicated keytab file = FILE:/etc/samba/samba.keytab 
> 
> create krb5 conf = no
> security = user
> domain master = yes
> domain logons = yes
> log level = 1
> max log size = 10
> log file = /var/log/samba/log.%m
> passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
> disable spoolss = yes
> ldapsam:trusted = yes
> ldap ssl = off
> ldap suffix = dc=gw,dc=spb,dc=ru
> ldap user suffix = cn=users,cn=accounts
> ldap group suffix = cn=groups,cn=accounts
> ldap machine suffix = cn=computers,cn=accounts
> rpc_server:epmapper = external
> rpc_server:lsarpc = external
> rpc_server:lsass = external
> rpc_server:lsasd = external
> rpc_server:samr = external
> rpc_server:netlogon = external
> rpc_server:tcpip = yes
> rpc_daemon:epmd = fork
> rpc_daemon:lsasd = fork
> 
> But I don't understand why it wasn't put to smb.conf directly.
> 
> The second problem is 'passdb backend'. I didn't find any documentation about 
> this module. An attempt to replace a file socket on net connection was 
> failed. And I had to make LDAP replication. It was easy, but " 
> ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not 
> only ldap-server. I need to continue to read documentation. However the 
> problem was solved. 
> 
> 06.10.2016 23:51, Степаненко Алексей пишет:
>> Thank you for your reply. 
>> 
>> I've got Samba server for a company, accounts are created by hand. Clients 
>> are different windows or linux desktops. 
>> 
>> I want to install FreeIPA and have one area for managing accounts (SMB, 
>> SSH-access for others servers). Now, I prepare clean samba installation for 
>> testing. It would be great to use FreeIPA as authorization server for samba. 
>> 
>> I was looking for information about samba + freeIPA, but I found only this 
>> document. Maybe, I miss obvious things. 
>> 
>> 
>> 06.10.2016 20:31, Loris Santamaria пишет: 
>>> The document you are linking to explains how to configure a samba file 
>>> server in a freeipa domain, which is one of many ways you can configure 
>>> and use a samba server. 
>>> 
>>> What do you want to achieve with samba, and what is your current setup? 
>>> 
>>> 
>>> El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió: 
 Hello. 
 
 I've read the topic about FreeIPA and SAMBA 
 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit 
  
 h_IPA 
 
 If I understand clearly, samba's client must be present in 
 FreeIPA  AD. 
 Unfortunately, it does not work for me. I can't join some work 
 desktops 
 to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has 
 ldap support 
 
   ldap admin dn 
   ldap group suffix 
   ldap idmap suffix 
   ldap machine suffix 
   ldap passwd sync 
   ldap suffix 
   ldap user suffix 
 
 Does it work with IPA ? 
 
 Thanks. 
 
>> 
>> 
>> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIpa Server + NFSv4 Kerberos mount problem.

2016-10-08 Thread Alan Latteri 
I think you problem is FreeNAS and not IPA itself.  In FreeNAS 10 they will 
have built in IPA functionality.
> On Oct 8, 2016, at 5:47 PM, Arthur Morales Sampaio  wrote:
> 
> Good morning, my name is Arthur and I am working on the integration of 
> FreeIPA and NFSv4 mounting for home directory sharing for authenticated users.
> 
> This is the first time I am doing this so the problem could be simple. It's 
> been already a week that I have been struggling with this and I don't know 
> where else to ask for help. I have read pretty much everything that is to be 
> read online regarding Freeipa integration.
> 
> Here is my scenario:
> - FreeIPA server 4.2.0 - Centos7
> - FreeNAS (NFSv4 server) 10 - FreeBSD (bundled with FreeNAS)
> - Client Ubuntu 16.04. Installed IPA client using ipa-client-install and 
> imported LDAP credentials. Kerberos login is working properly I can log into 
> the machines using IPA users. But can't mount NFS4 using sec=krb5 option.
> 
> I have a functional FreeIPA server with Kerberos authentication working 
> properly. But I can't get NFSv4 authenticated to work in freeipa-clients. 
> 
> Following is the error that I am getting:
> 
> 
> 
> I know that this might not be enough detail for me to get help for this 
> problem. But the thing is that I don't know how to enable a more verbosity 
> functionality for this.
> 
> The desired behavior would be to create mounts for home directories of users 
> and enable kerberos security to mount them. Meaning that I need only the 
> owners to be able to mount them. 
> 
> This is something that is very confusing for me. Wouldn't I be required to 
> somehow pass to the mount command the username or any credentials of the 
> kerberos user just so the NFS server would know WHO is trying to mount the 
> directory?
> 
> I really exhausted my resources in trying to fix this issue. 
> 
> Does FreeIPA work with NFSv4? 
> 
> I sincerely appreciate your help on this one.
> 
> Best regards,
> Arthur
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Samba Server setup

2016-09-15 Thread Alan Latteri 
I too am running into this problem.  Looking forward to some feedback regarding 
this issue.

> On Sep 15, 2016, at 7:04 AM, Brook, Andy [CRI]  
> wrote:
> 
> All,
>  I’m working on setting up Samba to serve files from a server attached to our 
> IPA domain. I followed the directions in 
> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA. 
> Everything seems to work and I can access the files from another RHEL server 
> attached to the same domain using a Kerberos ticket from a user from the 
> trusted AD domain. However, I can’t access this share from a windows client 
> that is also attached to the trusted AD domain.
> 
> My smb.conf is as follows:
> [global]
>workgroup = IPA
>realm = IPA.DOMAIN
>kerberos method = dedicated keytab
>dedicated keytab file = FILE:/etc/samba/samba.keytab
>log file = /var/log/samba/log.%m
>log level = 3
>security = ads
>load printers = no
>disable spoolss = yes
>map to guest = Never
>restrict anonymous = 2
> 
> [spacetest]
>path = /var/www
>writable = yes
>browsable = yes
> 
> I put the keytab in place from the cifs service from the IPA server.
> 
> I feel like I’m missing something small, but I can’t seem to find it. Logs 
> from samba are here: http://pastebin.com/aMDXfR78
> 
> Andy Brook
> Sr. Systems Administrator | Center for Research Informatics | University of 
> Chicago
> T: 773-834-0458 | http://cri.uchicago.edu
> 
> 
> This e-mail is intended only for the use of the individual or entity to which
> it is addressed and may contain information that is privileged and 
> confidential.
> If the reader of this e-mail message is not the intended recipient, you are 
> hereby notified that any dissemination, distribution or copying of this
> communication is prohibited. If you have received this e-mail in error, 
> please 
> notify the sender and destroy all copies of the transmittal. 
> 
> Thank you
> University of Chicago Medicine and Biological Sciences 
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project