Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)

2015-07-22 Thread Dave Sirrine
Bill,

Can you let us know what version of FreeIPA you're using? The most likely due 
to the occurrence of NT_STATUS_INVALID_PARAMETER which is most likely a time 
skew issue between AD and IPA. Can you verify this? Thanks!

-- Dave

- Original Message -
 From: William Graboyes wgrabo...@cenic.org
 To: freeipa-users freeipa-users@redhat.com
 Sent: Wednesday, July 22, 2015 2:14:51 PM
 Subject: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not   
 start!)
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 Hi All,
 
 I have been messing around with AD trust installs mainly around doing
 ntlm_auth for a radius server.
 
 However, as I was unable to see some of the needed resources, I
 thought maybe IPA may need a kick.
 
 So I ran the following command
 
 `ipactl restart`
 
 # ipactl restart
 Restarting Directory Service
 Restarting krb5kdc Service
 Restarting kadmin Service
 Restarting ipa_memcached Service
 Restarting httpd Service
 Restarting ipa-otpd Service
 Starting smb Service
 Job for smb.service failed. See 'systemctl status smb.service' and
 'journalctl -xn' for details.
 Failed to start smb Service
 Shutting down
 Aborting ipactl
 
 # systemctl status smb.service
 smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)
Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44
 PDT; 20s ago
   Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited,
 status=1/FAILURE)
  Main PID: 16752 (code=exited, status=1/FAILURE)
Status: Starting process...
CGroup: /system.slice/smb.service
 
 Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB
 Daemon...
 Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22
 11:01:43.956721,  0] ../source3/smbd/server.c:1269(main)
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2
 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main
 process exited, code=exited, status=1/FAILURE
 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba
 SMB Daemon.
 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service
 entered failed state.
 
 journalctl -xn provides no useful information, however journalctl
 does... sorta:
 
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
 11:03:19.824614,  0] ipa_sam.c:3574(get_fallback_group_sid)
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory
 attribute ipaNTSecurityIdentifier.
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
 11:03:19.824829,  0] ipa_sam.c:4526(pdb_init_ipasam)
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of
 fallback group.
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
 11:03:19.824878,  0]
 ../source3/passdb/pdb_interface.c:178(make_pdb_method_name)
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend
 ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly
 init (error was NT_STATUS_INVALID_PARAMETER)
 Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main
 process exited, code=exited, status=1/FAILURE
 Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba
 SMB Daemon.
 Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service
 entered failed state.
 
 
 Thanks,
 Bill
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2
 Comment: GPGTools - https://gpgtools.org
 
 iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy
 HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7
 mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8
 zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq
 cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d
 Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u
 WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66
 B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO
 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6
 ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n
 OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu
 Y7j1+rZUNTtgDUJDk+Jk
 =xQLh
 -END PGP SIGNATURE-
 
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)

2015-07-22 Thread William Graboyes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Dave,

There is no actual AD at this time.  Thanks :)

On 7/22/15 12:22 PM, Dave Sirrine wrote:
 Bill,
 
 Can you let us know what version of FreeIPA you're using? The most
 likely due to the occurrence of NT_STATUS_INVALID_PARAMETER which
 is most likely a time skew issue between AD and IPA. Can you verify
 this? Thanks!
 
 -- Dave
 
 - Original Message -
 From: William Graboyes wgrabo...@cenic.org To:
 freeipa-users freeipa-users@redhat.com Sent: Wednesday, July
 22, 2015 2:14:51 PM Subject: [Freeipa-users] Samba Failing to
 start (Causing FreeIPA to notstart!)
 
 Hi All,
 
 I have been messing around with AD trust installs mainly around
 doing ntlm_auth for a radius server.
 
 However, as I was unable to see some of the needed resources, I 
 thought maybe IPA may need a kick.
 
 So I ran the following command
 
 `ipactl restart`
 
 # ipactl restart Restarting Directory Service Restarting krb5kdc
 Service Restarting kadmin Service Restarting ipa_memcached Service 
 Restarting httpd Service Restarting ipa-otpd Service Starting smb
 Service Job for smb.service failed. See 'systemctl status
 smb.service' and 'journalctl -xn' for details. Failed to start smb
 Service Shutting down Aborting ipactl
 
 # systemctl status smb.service smb.service - Samba SMB Daemon 
 Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) 
 Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44 
 PDT; 20s ago Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS
 (code=exited, status=1/FAILURE) Main PID: 16752 (code=exited,
 status=1/FAILURE) Status: Starting process... CGroup:
 /system.slice/smb.service
 
 Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba
 SMB Daemon... Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]:
 [2015/07/22 11:01:43.956721,  0]
 ../source3/smbd/server.c:1269(main) Jul 22 11:01:44
 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul 22
 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 Jul
 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1 
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client
 step 2 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]:
 smb.service: main process exited, code=exited, status=1/FAILURE Jul
 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba 
 SMB Daemon. Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit
 smb.service entered failed state.
 
 journalctl -xn provides no useful information, however journalctl 
 does... sorta:
 
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 
 11:03:19.824614,  0] ipa_sam.c:3574(get_fallback_group_sid) Jul 22
 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory 
 attribute ipaNTSecurityIdentifier. Jul 22 11:03:19
 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 11:03:19.824829,  0]
 ipa_sam.c:4526(pdb_init_ipasam) Jul 22 11:03:19
 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of fallback
 group. Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]:
 [2015/07/22 11:03:19.824878,  0] 
 ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Jul 22
 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend 
 ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not
 correctly init (error was NT_STATUS_INVALID_PARAMETER) Jul 22
 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main process
 exited, code=exited, status=1/FAILURE Jul 22 11:03:19
 ipa-server-1.foo.bar systemd[1]: Failed to start Samba SMB Daemon. 
 Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service 
 entered failed state.
 
 
 Thanks, Bill
 
 
 -- Manage your subscription for the Freeipa-users mailing list: 
 https://www.redhat.com/mailman/listinfo/freeipa-users Go to
 http://freeipa.org for more info on the project
 
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVr/slAAoJEJFMz73A1+zr9i0P/ikhGkBsqX0zT6bqHjah7Gyy
dvP2jd+WJeJxhH8jsLhUEGs26OcPdLVRc8MkvIeINcZd8dTz4l7gRVZZVk4dVho4
Tqg29EMbXh+5EOiOYd0LcFuZA1q0rFUaa9b56a3xnm9njwvKUwjnlRfUOMim3kKZ
6XfN1fAT7VVKqKJXyWn534ym/msivOuklbV5n0if0TAuIHe9X4Uwl8VvMiBsCtSv
cpcpFEAZLygzW9qMxl9RgxYqPCN9gor8pW2ijO6BjJqfXTxQ0AxTCz+0C3mMizf7
lc4tdprS4hR1eWnrooBGahznm3usb4eRJvEAslHY7UUfsla9B4fgmJN4Nis8J7Mk
CIRMZrFNI1YlVw8bfgxr3viq+lcVxFWAPghffmXfv1yu3Gx0OBa6bGD8fuNKVLU1
AoHZL6z0cHgGH6RsWjgC7APutssE6JqhWDTxa9cDcUozpN9R4fOH3H7uFAhJkSOU
ZbslxHnmLOaLRXIDAyx9oAfp4ndYxMQH1mZ5scRHGkIZEv49mJtUOfgka67X/3xB
bh78q/nxMibomteFZiWIXeCtxTOKaZ2wZLqPuhd/HS+689C9ONADsGcP8Tae/f35
nSBJEbZXzsrcWy3CN4iYtZ4dQK55FSBfW5GCyvnrBMO4MGsw48UzPOS1WiQ63NPd
s0tJA1c/IO2kPzQzCaFM
=KNGl
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)

2015-07-22 Thread Sumit Bose
On Wed, Jul 22, 2015 at 11:14:51AM -0700, William Graboyes wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 Hi All,
 
 I have been messing around with AD trust installs mainly around doing
 ntlm_auth for a radius server.
 
 However, as I was unable to see some of the needed resources, I
 thought maybe IPA may need a kick.
 
 So I ran the following command
 
 `ipactl restart`
 
 # ipactl restart
 Restarting Directory Service
 Restarting krb5kdc Service
 Restarting kadmin Service
 Restarting ipa_memcached Service
 Restarting httpd Service
 Restarting ipa-otpd Service
 Starting smb Service
 Job for smb.service failed. See 'systemctl status smb.service' and
 'journalctl -xn' for details.
 Failed to start smb Service
 Shutting down
 Aborting ipactl
 
 # systemctl status smb.service
 smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)
Active: failed (Result: exit-code) since Wed 2015-07-22 11:01:44
 PDT; 20s ago
   Process: 16752 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited,
 status=1/FAILURE)
  Main PID: 16752 (code=exited, status=1/FAILURE)
Status: Starting process...
CGroup: /system.slice/smb.service
 
 Jul 22 11:01:43 ipa-server-1.foo.bar systemd[1]: Starting Samba SMB
 Daemon...
 Jul 22 11:01:43 ipa-server-1.foo.bar smbd[16751]: [2015/07/22
 11:01:43.956721,  0] ../source3/smbd/server.c:1269(main)
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 1
 Jul 22 11:01:44 ipa-server-1.foo.bar smbd[16752]: GSSAPI client step 2
 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: smb.service: main
 process exited, code=exited, status=1/FAILURE
 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Failed to start Samba
 SMB Daemon.
 Jul 22 11:01:44 ipa-server-1.foo.bar systemd[1]: Unit smb.service
 entered failed state.
 
 journalctl -xn provides no useful information, however journalctl
 does... sorta:
 
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
 11:03:19.824614,  0] ipa_sam.c:3574(get_fallback_group_sid)
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory
 attribute ipaNTSecurityIdentifier.
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
 11:03:19.824829,  0] ipa_sam.c:4526(pdb_init_ipasam)
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Cannot find SID of
 fallback group.
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
 11:03:19.824878,  0]
 ../source3/passdb/pdb_interface.c:178(make_pdb_method_name)
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: pdb backend
 ipasam:ldapi://%2fvar%2frun%2fslapd-CENIC-ORG.socket did not correctly
 init (error was NT_STATUS_INVALID_PARAMETER)
 Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: smb.service: main
 process exited, code=exited, status=1/FAILURE
 Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Failed to start Samba
 SMB Daemon.
 Jul 22 11:03:19 ipa-server-1.foo.bar systemd[1]: Unit smb.service
 entered failed state.

You can try and run 'ipa-adtrust-install' a second time. This might add
all attributes smbd needs.


HTH

bye,
Sumit

 
 
 Thanks,
 Bill
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2
 Comment: GPGTools - https://gpgtools.org
 
 iQIcBAEBCgAGBQJVr92bAAoJEJFMz73A1+zrgmAQAJp9DXynmqX89gWlacRmS/Hy
 HiwAaiHXmCG7cpWY0PE68l8XgUmpBtOWQJ7hPv83BG1DAyPX267npnFgtJ8t50j7
 mwr9OyuKNiQs0ki4wOnnyNt2xGTgQimugQG0bQsIbP0QBoVAOu6RjK+ucGpagWv8
 zcdIjVP1jjf7I9KtgYzSBT1siFfcP1NAVnd47WC7ombL0db0KIi9oWNy6xXx5rkq
 cSmfonN7jFmkn4gHPzNcqZAIVG+IFJfpqU/OAQrELjkcCXM57BRuzwffnI0DFt6d
 Wm7liuoZHRABlaQ+L9OazCFPGOzpTWKCICdW4Vq6ixpnBG5eRR24Yfqn0z+86R4u
 WmCz2aJEDa2zlZ4IYXZNnIxWkANg+cAxutBKPvyCmQxjxNz9YbPshhQBGG3JVf66
 B3CquNAXNw5O5N/vlKl8RtA4/xArRfvvXtofVrOgRAsjLw2Xdw8tahfIJKptNyYO
 86CDmyxgoK2ucdncJ5dC8GhX1ajBf5Mu8YnFC7MlfrS72TxsjCBMs5Y5rRmwZwA6
 ZF8TkfaZJmQc/bNe9V/+Ol/qXZM28ZrvZTs68/jTlRlruNc2D9458mdajKxUZB3n
 OaIdE/hXqH7HB32qp9733TCtFxRoJlrD5tVURkHl9kqgnqKxcDZ56VPmNYRn4GYu
 Y7j1+rZUNTtgDUJDk+Jk
 =xQLh
 -END PGP SIGNATURE-
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)

2015-07-22 Thread Alexander Bokovoy

On Wed, 22 Jul 2015, William Graboyes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi All,

I have been messing around with AD trust installs mainly around doing
ntlm_auth for a radius server.

However, as I was unable to see some of the needed resources, I
thought maybe IPA may need a kick.


This is your problem:

Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22
11:03:19.824614,  0] ipa_sam.c:3574(get_fallback_group_sid)
Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory
attribute ipaNTSecurityIdentifier.

What did you do?

Try to search as admin and as cifs/`hostname`:
# kinit admin
# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'
# kdestroy
# kinit -kt /etc/samba/samba.keytab cifs/`hostname`
# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'

If the first one gives you a proper entry with ipaNTSecurityIdentifier
and the second one does not return the same entry, you've broke ACIs.

If both of them are failing, you need to re-run 
ipa-adtrust-install --add-sids

to fix that.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)

2015-07-22 Thread William Graboyes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Alexander,

Thank you for the pointers, However it seems that I am still not
getting the ipaNTSecurityIdentifier returned.  Even after re-running
the ipa-adtrust-install --add-sids (which I believe it gave me the
option for on initial install, and i said yes).

I followed the steps on this site (I believe you directed me there)

http://firstyear.id.au/entry/22

and the output from the commands:

[root@ipa-server-2 ~]# kinit admin
Password for ad...@foo.bar:
[root@ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'
SASL/GSSAPI authentication started
SASL username: ad...@foo.bar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base dc=foo,dc=bar (default) with scope subtree
# filter: (cn=Default SMB Group)
# requesting: ALL
#

# Default SMB Group, groups, compat, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar
gidNumber: 3512
objectClass: posixGroup
objectClass: top
cn: Default SMB Group

# Default SMB Group, groups, accounts, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to
this gr
oup
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04
gidNumber: 3512

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@ipa-server-2 ~]# kdestroy
[root@ipa-server-2 ~]# kinit -kt /etc/samba/samba.keytab cifs/`hostname`
[root@ipa-server-2 ~]# ldapsearch -Y GSSAPI '(cn=Default SMB Group)'
SASL/GSSAPI authentication started
SASL username: cifs/ipa-server-2.foo@foo.bar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base dc=foo,dc=bar (default) with scope subtree
# filter: (cn=Default SMB Group)
# requesting: ALL
#

# Default SMB Group, groups, compat, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=compat,dc=foo,dc=bar
gidNumber: 3512
objectClass: posixGroup
objectClass: top
cn: Default SMB Group

# Default SMB Group, groups, accounts, foo.bar
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=foo,dc=bar
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to
this gr
oup
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: 3aa5e9ac-2f37-11e5-9ef4-5254002ece04
gidNumber: 3512

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

Thanks,
Bill Graboyes

On 7/22/15 12:53 PM, Alexander Bokovoy wrote:
 On Wed, 22 Jul 2015, William Graboyes wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
 
 Hi All,
 
 I have been messing around with AD trust installs mainly around
 doing ntlm_auth for a radius server.
 
 However, as I was unable to see some of the needed resources, I 
 thought maybe IPA may need a kick.
 
 This is your problem:
 Jul 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: [2015/07/22 
 11:03:19.824614,  0] ipa_sam.c:3574(get_fallback_group_sid) Jul
 22 11:03:19 ipa-server-1.foo.bar smbd[16903]: Missing mandatory 
 attribute ipaNTSecurityIdentifier.
 What did you do?
 
 Try to search as admin and as cifs/`hostname`: # kinit admin #
 ldapsearch -Y GSSAPI '(cn=Default SMB Group)' # kdestroy # kinit
 -kt /etc/samba/samba.keytab cifs/`hostname` # ldapsearch -Y GSSAPI
 '(cn=Default SMB Group)'
 
 If the first one gives you a proper entry with
 ipaNTSecurityIdentifier and the second one does not return the same
 entry, you've broke ACIs.
 
 If both of them are failing, you need to re-run
 ipa-adtrust-install --add-sids to fix that.
 
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVr/+oAAoJEJFMz73A1+zr+BIP/2+77QZnSWSI38Wz47kUr6Uh
kOhv3gIAPlIq1ClJClbISOjwdpGBP0AUETsrbBixW7mMFswywDrLij7axbDh8MkO
8PLTH3Sv75foAUmAMH4ZIpB5NA8WNre5+gWuHAhLQnZBbedx0fm6ieuZvZBDHaFw
2rj+w8zkw0TWaf7ZmwTvawZwoy/OTfhkKLqfRvUfSxvpOeRl4AE/yUjje5rvacCK
tuYwCM8Y4B0aDqRbOjbL4hyWiIVAmV5PhaVa8Qu5AwbOXV2+G5Mt6MxxMRmWBrE2
+ZwATAlqqomsZ1FYOVKgMn1ylO/SzaNde3u5rvE4vdWzP8mr/+APNIcxmp27GnWr
cMGEOapdzehMVvVyW0FJ4gA+BxwhNzpGc+vo+98WeDq49yW/g3vwO/BQKqFkMaZW
HZM784EAxRAEXEiAJ9bB2bOGfY/EVrvWZVjDO10Hu99kIFqN8hbjfSKlqEH00fV7
ihqHJf0lcOU4lIBH5vUxRZSHfUjMCv6TySdWZSlblO5dtTGRjgpe7Kwj2pRgCo3P
PUagvJY4gkZ4ZbxIq+qkPHCNY90B+pGheVuJRfDA+Pl7bFY24/tbhnJ0kzuNQtYu
K8UlD4o34AlDQr60I0bxYkwprtJneVPfVkW1+6LUDWw4eNGf1zjXQH9Jl8uQcir4
Eq5AtMD/ef8TjxQwWaHr
=HkdM
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project