I messed up somehow with my samba server. I'm trying to access a linux share from windows and the log on the linux server says: [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/myserver.mydomain.local@MYDOMAIN.LOCAL kvno 8 not found in keytab; ticket is likely out of date]
How can I fix this?
Thank you.
----------------------------------------- # net ads keytab list Vno Type Principal 16 AES-256 CTS mode with 96-bit SHA-1 HMAC cifs/myserver.mydomain.local@MYDOMAIN.LOCAL 16 AES-128 CTS mode with 96-bit SHA-1 HMAC cifs/myserver.mydomain.local@MYDOMAIN.LOCAL
----------------------------------------- # net conf list [global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=mydomain,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork
[scratch] path = /data/scratch comment = Scratch shared files create mask = 0644 invalid users = opera
On ti, 12 maalis 2019, fujisan via FreeIPA-users wrote:
I messed up somehow with my samba server. I'm trying to access a linux share from windows and the log on the linux server says: [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/myserver.mydomain.local@MYDOMAIN.LOCAL kvno 8 not found in keytab; ticket is likely out of date]
How can I fix this?
Can you give more details about your setup? Where you run your Samba server? A config below looks like the one for ipa-adtrust-install on IPA master, so do you run it on IPA master?
Can you explain what you did to set it up?
Can you show output of
kinit admin kvno cifs/myserver.mydomain.local@MYDOMAIN.LOCAL
?
Thank you.
# net ads keytab list Vno Type Principal 16 AES-256 CTS mode with 96-bit SHA-1 HMAC cifs/myserver.mydomain.local@MYDOMAIN.LOCAL 16 AES-128 CTS mode with 96-bit SHA-1 HMAC cifs/myserver.mydomain.local@MYDOMAIN.LOCAL
# net conf list [global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=mydomain,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork
[scratch] path = /data/scratch comment = Scratch shared files create mask = 0644 invalid users = opera
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Yes, the samba server is located on the freeipa master server.
# kvno cifs/myserver.mydomain.local@MYDOMAIN.LOCAL cifs/myserver.mydomain.local@MYDOMAIN.LOCAL: kvno = 16
I ran ipa-adtrust-install
# ipa-adtrust-install
The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server.
This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration.
admin password:
Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
The following operations may take some minutes to complete. Please wait until the prompt is returned.
Configuring CIFS [1/24]: validate server hostname [2/24]: stopping smbd [3/24]: creating samba domain object Samba domain object already exists [4/24]: creating samba config registry [5/24]: writing samba config file [6/24]: adding cifs Kerberos principal [7/24]: adding cifs and host Kerberos principals to the adtrust agents group [8/24]: check for cifs services defined on other replicas [9/24]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [10/24]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [11/24]: adding RID bases RID bases already set, nothing to do [12/24]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [13/24]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [14/24]: activating sidgen task Sidgen task plugin already configured, nothing to do [15/24]: map BUILTIN\Guests to nobody group [16/24]: configuring smbd to start on boot [17/24]: adding special DNS service records [18/24]: enabling trusted domains support for older clients via Schema Compatibility plugin [19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [20/24]: adding fallback group Fallback group already set, nothing to do [21/24]: adding Default Trust View Default Trust View already exists. [22/24]: setting SELinux booleans [23/24]: starting CIFS services [24/24]: restarting smbd Done configuring CIFS.
============================================================================= Setup complete
You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
On ti, 12 maalis 2019, Fuji San via FreeIPA-users wrote:
Yes, the samba server is located on the freeipa master server.
# kvno cifs/myserver.mydomain.local@MYDOMAIN.LOCAL cifs/myserver.mydomain.local@MYDOMAIN.LOCAL: kvno = 16
I ran ipa-adtrust-install
You must have run something else too multiple times as cifs/.. key was re-issued 16 times.
Can you show more detailed smbd logs when a client connects?
Use
net conf setparm global loglevel 10
then collect logs after a test (from /var/log/samba/log.*) and make them available somewhere.
I sent you a mail with a link to the log tar file at abokovoy@redhat.com
On ti, 12 maalis 2019, Fuji San via FreeIPA-users wrote:
I sent you a mail with a link to the log tar file at ...
Thanks.
According to the logs you sent, there is no a share that a client tries to access.
How did you add the share?
Samba on IPA master uses a particular configuration with its configuration stored in the Samba registry. This means that actual smb.conf on IPA master looks like this:
### Added by IPA Installer ### [global] debug pid = yes config backend = registry
Anything added after 'config backend = registry' line is ignored by Samba.
If you want to add a share, use 'net conf addshare' command. Once you added a share definition, its settings can be updated with
net conf setparm 'sharename' 'parameter' 'value'
I added a share in smb.conf.regedit then I imported the file with net conf import smb.conf.regedit . I send you another tar file at your email.
Regards F
# net conf list
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=mydomain,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork log level = 10
[scratch] path = /data/scratch comment = Scratch shared files create mask = 0644 invalid users = opera
On Tue, Mar 12, 2019 at 6:15 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 12 maalis 2019, Fuji San via FreeIPA-users wrote:
I sent you a mail with a link to the log tar file at ...
Thanks.
According to the logs you sent, there is no a share that a client tries to access.
How did you add the share?
Samba on IPA master uses a particular configuration with its configuration stored in the Samba registry. This means that actual smb.conf on IPA master looks like this:
### Added by IPA Installer ### [global] debug pid = yes config backend = registry
Anything added after 'config backend = registry' line is ignored by Samba.
If you want to add a share, use 'net conf addshare' command. Once you added a share definition, its settings can be updated with
net conf setparm 'sharename' 'parameter' 'value'
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ti, 12 maalis 2019, fujisan wrote:
I added a share in smb.conf.regedit then I imported the file with net conf import smb.conf.regedit . I send you another tar file at your email.
Regards F
# net conf list
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=mydomain,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork log level = 10
[scratch] path = /data/scratch comment = Scratch shared files create mask = 0644 invalid users = opera
Thanks. However, Samba says /data/scratch is a symlink to /tmp which is outside of the share and therefore fails:
[2019/03/12 18:29:40.679585, 2, pid=20580, effective(1024, 1023), real(1024, 0), class=vfs] ../source3/smbd/vfs.c:1305(check_reduced_name) check_reduced_name: Bad access attempt: . is a symlink outside the share path conn_rootdir =/data/scratch resolved_name=/tmp [2019/03/12 18:29:40.679613, 5, pid=20580, effective(1024, 1023), real(1024, 0)] ../source3/smbd/filename.c:1271(check_name) check_name: name . failed with NT_STATUS_ACCESS_DENIED
May be you can try with /data/scratch not being a symlink. Samba is pretty serious on not allowing wide symlinks by default.
This is strange as /data and /tmp are 2 partitions on my server and scratch is a directory in /data
/dev/mapper/fedora-data 2832342640 946566920 1741877916 36% /data /dev/mapper/fedora-tmp 153769424 61780 145826940 1% /tmp
# ls -l /data/ total 52 drwxrwx---. 5 root staff 4096 Mar 11 13:02 scratch
There is absolutely no symlink involved here.
# smbstatus Samba version 4.9.4 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 20580 smith smith 10.0.21.223 (ipv4:10.0.21.223:49971) SMB3_11 - partial(AES-128-CMAC)
Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- scratch 20580 10.0.21.223 Tue Mar 12 06:29:41 PM 2019 CET - - scratch 20533 10.0.21.251 Tue Mar 12 06:29:06 PM 2019 CET - - IPC$ 20580 10.0.21.223 Tue Mar 12 06:29:37 PM 2019 CET - -
Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 20533 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Tue Mar 12 18:29:06 2019 20533 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Tue Mar 12 18:29:06 2019
Regards F
On Tue, Mar 12, 2019 at 7:04 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 12 maalis 2019, fujisan wrote:
I added a share in smb.conf.regedit then I imported the file with net conf import smb.conf.regedit . I send you another tar file at your email.
Regards F
# net conf list
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=mydomain,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork log level = 10
[scratch] path = /data/scratch comment = Scratch shared files create mask = 0644 invalid users = opera
Thanks. However, Samba says /data/scratch is a symlink to /tmp which is outside of the share and therefore fails:
[2019/03/12 18:29:40.679585, 2, pid=20580, effective(1024, 1023), real(1024, 0), class=vfs] ../source3/smbd/vfs.c:1305(check_reduced_name) check_reduced_name: Bad access attempt: . is a symlink outside the share path conn_rootdir =/data/scratch resolved_name=/tmp [2019/03/12 18:29:40.679613, 5, pid=20580, effective(1024, 1023), real(1024, 0)] ../source3/smbd/filename.c:1271(check_name) check_name: name . failed with NT_STATUS_ACCESS_DENIED
May be you can try with /data/scratch not being a symlink. Samba is pretty serious on not allowing wide symlinks by default.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ti, 12 maalis 2019, fujisan wrote:
This is strange as /data and /tmp are 2 partitions on my server and scratch is a directory in /data
/dev/mapper/fedora-data 2832342640 946566920 1741877916 36% /data /dev/mapper/fedora-tmp 153769424 61780 145826940 1% /tmp
# ls -l /data/ total 52 drwxrwx---. 5 root staff 4096 Mar 11 13:02 scratch
There is absolutely no symlink involved here.
That's what the log tells, I'm not inventing anything here. :)
Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time
20533 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Tue Mar 12 18:29:06 2019 20533 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Tue Mar 12 18:29:06 2019
Note this '.' file? This is what smbd complaints about.
As far as the rest of configuration is concerned, it seems that you are using NTLMSSP to login to smbd and it works. Also, since smbd is able to pull the data from LDAP, its own cifs/... principal for /etc/samba/samba.keytab is just fine.
Regards F
On Tue, Mar 12, 2019 at 7:04 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 12 maalis 2019, fujisan wrote:
I added a share in smb.conf.regedit then I imported the file with net conf import smb.conf.regedit . I send you another tar file at your email.
Regards F
# net conf list
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=mydomain,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork log level = 10
[scratch] path = /data/scratch comment = Scratch shared files create mask = 0644 invalid users = opera
Thanks. However, Samba says /data/scratch is a symlink to /tmp which is outside of the share and therefore fails:
[2019/03/12 18:29:40.679585, 2, pid=20580, effective(1024, 1023), real(1024, 0), class=vfs] ../source3/smbd/vfs.c:1305(check_reduced_name) check_reduced_name: Bad access attempt: . is a symlink outside the share path conn_rootdir =/data/scratch resolved_name=/tmp [2019/03/12 18:29:40.679613, 5, pid=20580, effective(1024, 1023), real(1024, 0)] ../source3/smbd/filename.c:1271(check_name) check_name: name . failed with NT_STATUS_ACCESS_DENIED
May be you can try with /data/scratch not being a symlink. Samba is pretty serious on not allowing wide symlinks by default.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Hi Alexander, Finally succeeded to make it work with the following configuration on the freeipa server.
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork smb ports = 139 445 log level = 10
[scratch] path = /data/scratch comment = Scratch shared files read only = no browseable = yes guest ok = no create mask = 0644
I commented out the following from the global section:
;passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket ;disable spoolss = yes ;ldapsam:trusted = yes ;ldap ssl = off ;ldap suffix = dc=mydomain,dc=local ;ldap user suffix = cn=users,cn=accounts ;ldap group suffix = cn=groups,cn=accounts ;ldap machine suffix = cn=computers,cn=accounts
Any idea why this was causing trouble?
The smbstatus below shows several '.' as well as a file that I'm accessing.
Samba version 4.9.4 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 23252 beauduin mydomain 10.0.21.247 (ipv4:10.0.21.247:39798) SMB3_02 - partial(AES-128-CMAC) 23253 baina mydomain 10.0.21.251 (ipv4:10.0.21.251:62736) SMB3_02 - partial(AES-128-CMAC)
Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- scratch 23252 10.0.21.247 Wed Mar 13 10:16:14 AM 2019 CET - - scratch 23253 10.0.21.251 Wed Mar 13 10:16:17 AM 2019 CET - - public 23252 10.0.21.247 Wed Mar 13 10:16:21 AM 2019 CET - -
Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 23252 1010 DENY_NONE 0x100081 RDONLY NONE /data/public . Wed Mar 13 10:16:21 2019 23252 1010 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019 23252 1010 DENY_NONE 0x120080 RDONLY LEASE(RWH) /data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019 23252 1010 DENY_NONE 0x120089 RDONLY LEASE(RWH) /data/scratch Time-Shift Project.docx Wed Mar 13 10:19:23 2019 23253 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Wed Mar 13 10:16:16 2019 23252 1010 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Wed Mar 13 10:16:20 2019 23253 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Wed Mar 13 10:16:16 2019 23252 1010 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Wed Mar 13 10:16:22 2019 23252 1010 DENY_NONE 0x1000a0 RDONLY NONE /data/scratch . Wed Mar 13 10:19:24 2019
Also, when i check in the properties, tab "security" in windows, of a file in the freeipa server's share /data/scratch, the SIDs of user and group are not resolved. My desktop is also a samba server and the SIDs are resolved.
What could be the cause of this non-resolution of the SIDs?
Thank you.
Regards, F
On Tue, Mar 12, 2019 at 7:44 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 12 maalis 2019, fujisan wrote:
This is strange as /data and /tmp are 2 partitions on my server and
scratch
is a directory in /data
/dev/mapper/fedora-data 2832342640 946566920 1741877916 36% /data /dev/mapper/fedora-tmp 153769424 61780 145826940 1% /tmp
# ls -l /data/ total 52 drwxrwx---. 5 root staff 4096 Mar 11 13:02 scratch
There is absolutely no symlink involved here.
That's what the log tells, I'm not inventing anything here. :)
Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time
20533 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Tue Mar 12 18:29:06 2019 20533 1011 DENY_NONE 0x100081 RDONLY NONE /data/scratch . Tue Mar 12 18:29:06 2019
Note this '.' file? This is what smbd complaints about.
As far as the rest of configuration is concerned, it seems that you are using NTLMSSP to login to smbd and it works. Also, since smbd is able to pull the data from LDAP, its own cifs/... principal for /etc/samba/samba.keytab is just fine.
Regards F
On Tue, Mar 12, 2019 at 7:04 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 12 maalis 2019, fujisan wrote:
I added a share in smb.conf.regedit then I imported the file with net
conf
import smb.conf.regedit . I send you another tar file at your email.
Regards F
# net conf list
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=mydomain,dc=local ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork log level = 10
[scratch] path = /data/scratch comment = Scratch shared files create mask = 0644 invalid users = opera
Thanks. However, Samba says /data/scratch is a symlink to /tmp which is outside of the share and therefore fails:
[2019/03/12 18:29:40.679585, 2, pid=20580, effective(1024, 1023), real(1024, 0), class=vfs] ../source3/smbd/vfs.c:1305(check_reduced_name) check_reduced_name: Bad access attempt: . is a symlink outside the
share
path conn_rootdir =/data/scratch resolved_name=/tmp [2019/03/12 18:29:40.679613, 5, pid=20580, effective(1024, 1023), real(1024, 0)] ../source3/smbd/filename.c:1271(check_name) check_name: name . failed with NT_STATUS_ACCESS_DENIED
May be you can try with /data/scratch not being a symlink. Samba is pretty serious on not allowing wide symlinks by default.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 13 maalis 2019, fujisan wrote:
Hi Alexander, Finally succeeded to make it work with the following configuration on the freeipa server.
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork smb ports = 139 445 log level = 10
[scratch] path = /data/scratch comment = Scratch shared files read only = no browseable = yes guest ok = no create mask = 0644
I commented out the following from the global section:
;passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket ;disable spoolss = yes ;ldapsam:trusted = yes ;ldap ssl = off ;ldap suffix = dc=mydomain,dc=local ;ldap user suffix = cn=users,cn=accounts ;ldap group suffix = cn=groups,cn=accounts ;ldap machine suffix = cn=computers,cn=accounts
Any idea why this was causing trouble?
You basically killed IPA integration here by doing it. Not resolving users and SIDs through IPA LDAP and not setting up any other way to resolve it.
Also, when i check in the properties, tab "security" in windows, of a file in the freeipa server's share /data/scratch, the SIDs of user and group are not resolved. My desktop is also a samba server and the SIDs are resolved.
What could be the cause of this non-resolution of the SIDs?
Everything. ;)
We do not support yet properly running Samba file server on IPA member (or IPA master, for that matter). I'm working on that and have some proof of concept but it is not finished yet.
OK, looking forward to seeing your work done.
Regards. F
On Wed, Mar 13, 2019 at 11:20 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ke, 13 maalis 2019, fujisan wrote:
Hi Alexander, Finally succeeded to make it work with the following configuration on the freeipa server.
[global] workgroup = MYDOMAIN.LOCAL netbios name = MYSERVER realm = MYDOMAIN.LOCAL kerberos method = dedicated keytab dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork smb ports = 139 445 log level = 10
[scratch] path = /data/scratch comment = Scratch shared files read only = no browseable = yes guest ok = no create mask = 0644
I commented out the following from the global section:
;passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket ;disable spoolss = yes ;ldapsam:trusted = yes ;ldap ssl = off ;ldap suffix = dc=mydomain,dc=local ;ldap user suffix = cn=users,cn=accounts ;ldap group suffix = cn=groups,cn=accounts ;ldap machine suffix = cn=computers,cn=accounts
Any idea why this was causing trouble?
You basically killed IPA integration here by doing it. Not resolving users and SIDs through IPA LDAP and not setting up any other way to resolve it.
Also, when i check in the properties, tab "security" in windows, of a file in the freeipa server's share /data/scratch, the SIDs of user and group
are
not resolved. My desktop is also a samba server and the SIDs are resolved.
What could be the cause of this non-resolution of the SIDs?
Everything. ;)
We do not support yet properly running Samba file server on IPA member (or IPA master, for that matter). I'm working on that and have some proof of concept but it is not finished yet.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org