On ti, 03 maalis 2020, C T via FreeIPA-users wrote:
I am trying to set up a samba server as part of a freeipa domain.
I'd like
users on windows machines from two trusted AD domains to access shares on
the server (both users and computers are in the trusted AD domains).
I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain
member",
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA)
and built a couple of servers using CentOS 8; results are the same each
time -- no worky.
These servers integrate with Freeipa fine -- users from both trusted AD
domains can SSH in etc. But errors are legion in samba. Both IPA and AD
domains (and the trust relationshipts) have been in production for a while
working fine so I'm pretty confident DNS is ok. Kerberos seems to be
working fine too as I can kinit users in all domains OK from the samba
box. I'm confident firewalls are not blocking anything. I'm thinking it's
winbind that is the key problem, with it somehow not being able to auth to
the AD domains, but I'm not experienced with Samba/winbind so I'm
struggling after all day on it. Any guidance would be appreciated.
Your details are not enough. Could you please show exactly what you ran
to set up the file server and what problems you see. No need to show
Samba logs without that first.
The instructions in RHEL 8 documentation (basically, have RHEL 8.1
machines for IPA master and IPA client, install and run ipa-client-samba
tool and start smb/winbind services) should be enough. Anything else is
not needed and should not be needed.
Do not look into wbinfo output, it is misleading and is not really
relevant here. Show how you set things up. We have SMB setup tested
every week in upstream CI, for both IPA users and trusted AD users and
there are no issues for quite some time:
Fedora 31:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cb96c...
Fedora 30:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/68aea...
You can expand the reports to see detailed logs,
https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_sm...
is the test suite that defines all those tests.
Can you show how smbclient behaves when you are using it against the SMB
server you set up? You can see expected use and expected output in the
test reports above.
Also, design documents for the integration are here:
Domain Member:
https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-m...
Domain Controller:
https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-c...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland