[Freeipa-users] AD trust showing offline after reboot
Hi I followed the instructions mentioned in http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD trust with IPA server. I successfully established the trust and also able to list all AD users but after I rebooted the system wbinfo --onlie-status returns offline for AD domain and wbinfo -u also not returning anything. Is there anything I need to change to make it work across reboots? -- Warm Regards Supratik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
Also, when I am running wbinfo -n 'AD\Domain Admins' I am getting the below error. [root@master packages]# wbinfo -n 'AD\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name AD\Domain Admins On Thu, May 15, 2014 at 1:28 PM, Supratik Goswami supratiksek...@gmail.comwrote: ipactls status shows all in running state. [root@master packages]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ADTRUST Service: RUNNING EXTID Service: RUNNING ipa user-show also shows the user [root@master packages]# ipa user-show User login: admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 60260 GID: 60260 Account disabled: False Password: True Member of groups: admins, trust admins Kerberos keys available: True I am using IPA version 3.0.0. On Thu, May 15, 2014 at 1:14 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, May 15, 2014 at 12:51:13PM +0530, Supratik Goswami wrote: Hi I followed the instructions mentioned in http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD trust with IPA server. I successfully established the trust and also able to list all AD users but after I rebooted the system wbinfo --onlie-status returns offline for AD domain and wbinfo -u also not returning anything. Is there anything I need to change to make it work across reboots? Did IPA start at all according to the ipactl status? Are you able to to see native IPA users with ipa user-show ? What is the IPA version you are using? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Warm Regards Supratik -- Warm Regards Supratik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC. I disabled the firewall but still the problem is there :-( On Fri, May 16, 2014 at 7:14 PM, Sumit Bose sb...@redhat.com wrote: On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: Yes DNS is working fine and is able to return the IP address of the AD server. [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 SRV _ldap._ tcp.ad.idm.example.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29147 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.ad.idm.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 master.ad.idm.example.com. ;; ADDITIONAL SECTION: master.ad.idm.example.com. 3600 IN A 10.255.0.4 ;; Query time: 1 msec ;; SERVER: 10.255.0.4#53(10.255.0.4) ;; WHEN: Fri May 16 10:46:23 2014 ;; MSG SIZE rcvd: 106 In my case AD is the netbios name of the AD domain. Please find the log message from the file log.wb-AD. ... [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) Connecting to 10.255.0.4 at port 445 [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/clidgram.c:333(nbt_getdc_send) No nmbd found [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:916(name_status_find) name_status_find: looking up AD#1c at 10.255.0.4 [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namecache.c:299(namecache_status_fetch) namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:499(open_socket_in) bind succeeded on port 0 [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) async_connect failed: No such file or directory [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:600(nb_trans_got_reader) nmbd not around [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750590 [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:962(name_status_find) name_status_find: name not found [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and timeout = Fri May 16 10:51:54 2014 (60 seconds ahead) [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:189(add_failed_connection_entry) add_failed_connection_entry: added domain AD (10.255.0.4) to failed conn cache class=tdb] ../source3/lib/gencache.c:246(gencache_del) Deleting cache entry (key = SAFJOIN/DOMAIN/AD) [2014/05/16 10:50:54.455967, 10
Re: [Freeipa-users] AD trust showing offline after reboot
: addomain.example.com admins external map External member: S-1-5-21-2212595442-2951398754-4232868618-512 - Number of members added 1 - [root@ipaserver ~]# ipa group-add-member ad_admins --groups ad_admins_external Group name: ad_admins Description: addomain.example.com admins GID: 18964 Member groups: ad_admins_external - Number of members added 1 - 11. Verifying trust [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# ipa trust-find --- 1 trust matched --- Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust type: Active Directory domain Number of entries returned 1 [root@ipaserver ~]# ipa trust-show Realm name: ADDOMAIN.EXAMPLE.COM Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust direction: Two-way trust Trust type: Active Directory domain Please note the error message while verifying trust. I am stuck completely and not having any clue as why the setup is not working as expected. Any help in fixing this problem would be appreciated. On Fri, May 16, 2014 at 7:26 PM, Supratik Goswami supratiksek...@gmail.comwrote: The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC. I disabled the firewall but still the problem is there :-( On Fri, May 16, 2014 at 7:14 PM, Sumit Bose sb...@redhat.com wrote: On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: Yes DNS is working fine and is able to return the IP address of the AD server. [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 SRV _ldap._ tcp.ad.idm.example.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29147 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.ad.idm.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 master.ad.idm.example.com. ;; ADDITIONAL SECTION: master.ad.idm.example.com. 3600 IN A 10.255.0.4 ;; Query time: 1 msec ;; SERVER: 10.255.0.4#53(10.255.0.4) ;; WHEN: Fri May 16 10:46:23 2014 ;; MSG SIZE rcvd: 106 In my case AD is the netbios name of the AD domain. Please find the log message from the file log.wb-AD. ... [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) Connecting to 10.255.0.4 at port 445 [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/clidgram.c:333(nbt_getdc_send) No nmbd found [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:916(name_status_find) name_status_find: looking up AD#1c at 10.255.0.4 [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namecache.c:299(namecache_status_fetch) namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:499(open_socket_in) bind succeeded on port 0 [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) async_connect failed: No such file or directory [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:600(nb_trans_got_reader) nmbd not around [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event tevent_req_timedout 0x1750470 [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib
Re: [Freeipa-users] AD trust showing offline after reboot
Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself. Still failing after running the commands. [root@ipaserver ~]# net conf setparm global client min protocol smb2_02 [root@ipaserver ~]# net conf setparm global client max protocol smb2_02 [root@ipaserver ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# The issue is reproducible every time if anyone follows the steps as I have done. On Mon, May 19, 2014 at 4:45 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y *ipa-server *ipa-server-trust-ad samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap List of important packages installed during the update are as follows. bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 bind-dyndb-ldap x86_64 2.3-5.el6 ipa-server x86_64 3.0.0-37.el6 ipa-server-trust-ad x86_64 3.0.0-37.el6 ipa-admintools x86_64 3.0.0-37.el6 ipa-client x86_64 3.0.0-37.el6 ipa-pki-ca-themenoarch 9.0.3-7.el6 ipa-pki-common-themenoarch 9.0.3-7.el6 ipa-python x86_64 3.0.0-37.el6 ipa-server-selinux x86_64 3.0.0-37.el6 samba4-client x86_64 4.0.0-61.el6_5.rc4 samba4-winbind x86_64 4.0.0-61.el6_5.rc4 samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 samba4 x86_64 4.0.0-61.el6_5.rc4 samba4-common x86_64 4.0.0-61.el6_5.rc4 samba4-libs x86_64 4.0.0-61.el6_5.rc4 samba4-python x86_64 4.0.0-61.el6_5.rc4 ah, sorry, I this might be a known issue, but I got on a wrong track because I thought it was working initially and only failed after reboot. Please try to set client min protocol and client max protocol in the samba configuration: net conf setparm global client min protocol smb2_02 net conf setparm global client max protocol smb2_02 restart winbind and try again. HTH bye, Sumit 389-ds-base x86_64 1.2.11.15-32.el6_5 389-ds-base-libsx86_64 1.2.11.15-32.el6_5 certmonger x86_64 0.61-3.el6 krb5-server x86_64 1.10.3-15.el6_5.1 krb5-workstationx86_64 1.10.3-15.el6_5.1 sssdx86_64 1.9.2-129.el6_5.4 sssd-client x86_64 1.9.2-129.el6_5.4 -- Warm Regards Supratik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
PFA On Tue, May 20, 2014 at 12:38 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself. Still failing after running the commands. [root@ipaserver ~]# net conf setparm global client min protocol smb2_02 [root@ipaserver ~]# net conf setparm global client max protocol smb2_02 [root@ipaserver ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# The issue is reproducible every time if anyone follows the steps as I have done. It would be nice if you can send a second round of log files. Please stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, make sure 'log level' is 10 or higher, start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, put all *winbind* and *wb* log files in a tar/zip archive and send the archive. If you think the archive is too large for a mailing-list fell free to send them to me directly. bye, Sumit On Mon, May 19, 2014 at 4:45 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y *ipa-server *ipa-server-trust-ad samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap List of important packages installed during the update are as follows. bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 bind-dyndb-ldap x86_64 2.3-5.el6 ipa-server x86_64 3.0.0-37.el6 ipa-server-trust-ad x86_64 3.0.0-37.el6 ipa-admintools x86_64 3.0.0-37.el6 ipa-client x86_64 3.0.0-37.el6 ipa-pki-ca-themenoarch 9.0.3-7.el6 ipa-pki-common-themenoarch 9.0.3-7.el6 ipa-python x86_64 3.0.0-37.el6 ipa-server-selinux x86_64 3.0.0-37.el6 samba4-client x86_64 4.0.0-61.el6_5.rc4 samba4-winbind x86_64 4.0.0-61.el6_5.rc4 samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 samba4 x86_64 4.0.0-61.el6_5.rc4 samba4-common x86_64 4.0.0-61.el6_5.rc4 samba4-libs x86_64 4.0.0-61.el6_5.rc4 samba4-python x86_64 4.0.0-61.el6_5.rc4 ah, sorry, I this might be a known issue, but I got on a wrong track because I thought it was working initially and only failed after reboot. Please try to set client min protocol and client max protocol in the samba configuration: net conf setparm global client min protocol smb2_02 net conf setparm global client max protocol smb2_02 restart winbind and try again. HTH bye, Sumit 389-ds-base x86_64 1.2.11.15-32.el6_5 389-ds-base-libsx86_64 1.2.11.15-32.el6_5 certmonger x86_64 0.61-3.el6 krb5-server x86_64 1.10.3-15.el6_5.1 krb5-workstationx86_64 1.10.3-15.el6_5.1 sssdx86_64 1.9.2-129.el6_5.4 sssd-client x86_64 1.9.2-129.el6_5.4 -- Warm Regards Supratik -- Warm Regards Supratik winbind-logs.tar.gz Description: GNU Zip compressed data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD trust showing offline after reboot
Yes, you are correct log level was set to 1. I have changed the log level value to 10 and collected the log files again, PFA. [root@ipaserver samba]# net conf setparm global 'log level' 10 [root@ipaserver samba]# net conf list [global] workgroup = IPADOMAIN realm = IPADOMAIN.EXAMPLE.COM kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 10 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN-EXAMPLE-COM.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=ipadomain,dc=example,dc=com ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork client min protocol = smb2_02 client max protocol = smb2_02 log level = 10 [share] comment = Trust test share read only = no valid users = S-1-5-21-2212595442-2951398754-4232868618 path = /share On Tue, May 20, 2014 at 1:38 PM, Sumit Bose sb...@redhat.com wrote: On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: PFA somewhat switched the log level back to 1 doing parameter log level = 1 can you check that 'net conf list' shows 'log level 10', if not please set it with net conf setparm 'log level' 10 bye, Sumit On Tue, May 20, 2014 at 12:38 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself. Still failing after running the commands. [root@ipaserver ~]# net conf setparm global client min protocol smb2_02 [root@ipaserver ~]# net conf setparm global client max protocol smb2_02 [root@ipaserver ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# The issue is reproducible every time if anyone follows the steps as I have done. It would be nice if you can send a second round of log files. Please stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, make sure 'log level' is 10 or higher, start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, put all *winbind* and *wb* log files in a tar/zip archive and send the archive. If you think the archive is too large for a mailing-list fell free to send them to me directly. bye, Sumit On Mon, May 19, 2014 at 4:45 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y *ipa-server *ipa-server-trust-ad samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap List of important packages installed during the update are as follows. bindx86_64 32:9.8.2-0.23.rc1.el6_5.1 bind-dyndb-ldap x86_64 2.3-5.el6 ipa-server x86_64 3.0.0-37.el6 ipa-server-trust-ad x86_64 3.0.0-37.el6 ipa-admintools x86_64 3.0.0-37.el6 ipa-client x86_64 3.0.0-37.el6 ipa-pki-ca-themenoarch 9.0.3-7.el6 ipa-pki-common-themenoarch
Re: [Freeipa-users] AD trust showing offline after reboot
Sumit, Thank you so much for helping me in fixing the problem. About the issue: NetBIOS was disabled in Windows AD, I think this is the default behavior for Windows 2008 R2 instances. After setting 'client max protocol' and 'client min protocol' winbind was able to resolve the AD users. net conf setparm global 'client min protocol' CORE net conf setparm global 'client max protocol' SMB2_02 You may close this case since now. On Tue, May 20, 2014 at 2:27 PM, Supratik Goswami supratiksek...@gmail.comwrote: Yes, you are correct log level was set to 1. I have changed the log level value to 10 and collected the log files again, PFA. [root@ipaserver samba]# net conf setparm global 'log level' 10 [root@ipaserver samba]# net conf list [global] workgroup = IPADOMAIN realm = IPADOMAIN.EXAMPLE.COM kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 10 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN-EXAMPLE-COM.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=ipadomain,dc=example,dc=com ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork client min protocol = smb2_02 client max protocol = smb2_02 log level = 10 [share] comment = Trust test share read only = no valid users = S-1-5-21-2212595442-2951398754-4232868618 path = /share On Tue, May 20, 2014 at 1:38 PM, Sumit Bose sb...@redhat.com wrote: On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: PFA somewhat switched the log level back to 1 doing parameter log level = 1 can you check that 'net conf list' shows 'log level 10', if not please set it with net conf setparm 'log level' 10 bye, Sumit On Tue, May 20, 2014 at 12:38 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself. Still failing after running the commands. [root@ipaserver ~]# net conf setparm global client min protocol smb2_02 [root@ipaserver ~]# net conf setparm global client max protocol smb2_02 [root@ipaserver ~]# service winbind restart Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [root@ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root@ipaserver ~]# wbinfo -u [root@ipaserver ~]# The issue is reproducible every time if anyone follows the steps as I have done. It would be nice if you can send a second round of log files. Please stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, make sure 'log level' is 10 or higher, start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, put all *winbind* and *wb* log files in a tar/zip archive and send the archive. If you think the archive is too large for a mailing-list fell free to send them to me directly. bye, Sumit On Mon, May 19, 2014 at 4:45 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y *ipa-server *ipa-server-trust-ad samba4-winbind-clients
[Freeipa-users] Registering Amazon Linux instance remotely
Hello, My environment is completely in Amazon AWS and in my environment I have a FreeIPA setup 4.1.0-18.el7. I am using auto scaling feature of Amazon AWS which dynamically creats systems from a AMI. The currently running machines in that group are Amazon Linux. I can not install ipa-client in those machines because Amazon does not support that yet but I have installed SSSD in those machines. The IP's of the machines are dynamically assigned at the time of the launch. I want to run a setup script at the time of launch and register the client machines. Unfortunately I don't have any clue of what commands I should use to register the client machine remotely under a particular host group at the time of launch. Please help. Thanks. -- Warm Regards Supratik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD
Hi I am using ipa-server-4.2.0 in my environment, it is having winsync agreement with the AD server. I want to move all new users to "Stage Users" state automatically when they are synced from the AD, can anyone please guide me on how to achieve it? Any help is highly appreciated. -- Warm Regards Supratik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Where should I create my Linux and Mac users in a AD IPA trust?
I am currently running IPA server 4.2 in RHEL 7.2 and I have created a two-way trust between my Windows AD and IPA server. I have a heterogeneous environment where I have Windows, Linux and Mac clients. The Windows users are present in AD and they can access the resources under IPA through the trust relationship. What are the pros and cons 1. When I create Linux and Mac users in the AD. 2. When I create Linux and Mac users in IPA -- Warm Regards Supratik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project