When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1 (MIT Kerberos), it fails with the following error:
[root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC --range-type=ipa-ad-trust --two-way=true --admin=Administrator --server dc.atlas5.hpc
Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials
IPA Server Versions
-------------------
root@atlas5ipa samba]# rpm -qa | grep ipa
python2-ipaclient-4.5.4-10.el7.centos.noarch
ipa-server-trust-ad-4.5.4-10.el7.centos.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python-libipa_hbac-1.16.0-19.el7.x86_64
sssd-ipa-1.16.0-19.el7.x86_64
ipa-server-4.5.4-10.el7.centos.x86_64
ipa-python-compat-4.5.4-10.el7.centos.noarch
python-iniparse-0.4-9.el7.noarch
ipa-common-4.5.4-10.el7.centos.noarch
python2-ipaserver-4.5.4-10.el7.centos.noarch
ipa-client-4.5.4-10.el7.centos.x86_64
ipa-server-dns-4.5.4-10.el7.centos.noarch
libipa_hbac-1.16.0-19.el7.x86_64
ipa-server-common-4.5.4-10.el7.centos.noarch
python2-ipalib-4.5.4-10.el7.centos.noarch
ipa-client-common-4.5.4-10.el7.centos.noarch
[root@atlas5ipa samba]# rpm -qa | grep samba
samba-libs-4.7.1-6.el7.x86_64
samba-common-tools-4.7.1-6.el7.x86_64
samba-winbind-4.7.1-6.el7.x86_64
samba-client-libs-4.7.1-6.el7.x86_64
samba-4.7.1-6.el7.x86_64
samba-winbind-modules-4.7.1-6.el7.x86_64
samba-python-4.7.1-6.el7.x86_64
samba-common-libs-4.7.1-6.el7.x86_64
samba-common-4.7.1-6.el7.noarch
Samba DC Server Versions
------------------------
Samba 4.8.1 compiled with MIT Kerberos against GNUTLS 3.5.0
Note: The IPA server and Samba AD server are running on separate VM's. Both have CentOS 7.3.1611 installed.
Here are the last few lines in the /var/log/httpd/error_log file from the IPA server. You can see that information about both sides is being exchanged but it ends up failing.
---
signed SMB2 message
lsa_lsaRSetForestTrustInformation: struct lsa_lsaRSetForestTrustInformation
out: struct lsa_lsaRSetForestTrustInformation
collision_info : *
collision_info : NULL
result : NT_STATUS_OK
rpc reply data:
lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
in: struct lsa_QueryTrustedDomainInfoByName
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000016-0000-0000-f15a-25affc130000
trusted_domain : *
trusted_domain: struct lsa_String
length : 0x0014 (20)
size : 0x0014 (20)
string : *
string : 'atlas5.hpc'
level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8)
signed SMB2 message
lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName
out: struct lsa_QueryTrustedDomainInfoByName
info : *
info : NULL
result : NT_STATUS_OBJECT_NAME_NOT_FOUND
lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2
in: struct lsa_CreateTrustedDomainEx2
policy_handle : *
policy_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000016-0000-0000-f15a-25affc130000
info : *
info: struct lsa_TrustDomainInfoInfoEx
domain_name: struct lsa_StringLarge
length : 0x0014 (20)
size : 0x0016 (22)
string : *
string : 'atlas5.hpc'
netbios_name: struct lsa_StringLarge
length : 0x000c (12)
size : 0x000e (14)
string : *
string : 'ATLAS5'
sid : *
sid : S-1-5-21-600493320-3079828444-3896724992
trust_direction : 0x00000003 (3)
1: LSA_TRUST_DIRECTION_INBOUND
1: LSA_TRUST_DIRECTION_OUTBOUND
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000000 (0)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
auth_info_internal : *
auth_info_internal: struct lsa_TrustDomainInfoAuthInfoInternal
auth_blob: struct lsa_DATA_BUF2
size : 0x00000440 (1088)
data : *
data: ARRAY(1088)
access_mask : 0x00010000 (65536)
0: LSA_TRUSTED_QUERY_DOMAIN_NAME
0: LSA_TRUSTED_QUERY_CONTROLLERS
0: LSA_TRUSTED_SET_CONTROLLERS
0: LSA_TRUSTED_QUERY_POSIX
0: LSA_TRUSTED_SET_POSIX
0: LSA_TRUSTED_SET_AUTH
0: LSA_TRUSTED_QUERY_AUTH
signed SMB2 message
lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2
out: struct lsa_CreateTrustedDomainEx2
trustdom_handle : *
trustdom_handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_ACCESS_DENIED
[Tue May 08 10:07:34.739980 2018] [:error] [pid 3854] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN.COM: trust_add/1(u'ATLAS5.HPC', realm_admin=u'Administrator', realm_passwd=u'********', realm_server=u'dc.atlas5.hpc', range_type=u'ipa-ad-trust', bidirectional=True, version=u'2.228'): ACIError
---
When you look at the Samba AD trust list, it shows the following entry. If you delete the trust and try to add it again, the entry comes back.
[root@atlas5dc samba]# bin/samba-tool domain trust list
Type[Forest] Transitive[Yes] Direction[BOTH] Name[ipa.domain.com]
I have poured over this for days and cannot find a reason why it's saying NT_STATUS_ACCESS_DENIED. I've tried verifying all the tedious details like DNS SRV records and user SIDs, so now I feel like it's going to be something more obvious :)
Thanks,
nate