[Freeipa-users] Woes adding a samba server to the ipa domain

Loris Santamaria loris at lgs.com.ve
Mon Oct 20 13:15:52 UTC 2014 

Hi all,

I wanted to install a samba server (or more precisely a winbind server
for pptp authentication) in a IPA domain which trusts an AD domain.

I know that this configuration is not supported but since it works with
plain samba or samba+ldap I wanted to get it a shot to see how far one
could get.

First step, added a group for Domain Computers in ipa, with SID
S-1-XXXX-515:

dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: domaincomputers
description: domain computers
ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb
gidNumber: 1870500500

Second step, added posix attributes to the ipa host object where samba
would be installed, added SID information, and made it a member of the
domain computers group:

dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX
displayName: gcentralproxy
sn: proxy
givenName: gcentral
gecos: gcentralproxy
uidNumber: 1870400015
gidNumber: 1870500500
homeDirectory: /dev/null
loginShell: /sbin/nologin
uid: gcentralproxy$
ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301
cn: gcentralproxy.cosmeticosgenesis.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: ipantuserattrs
objectClass: posixAccount
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
fqdn: gcentralproxy.YYYYY
krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com at YYYY
serverHostName: gcentralproxy

Third step, I added a cifs service for the host in ipa, and exported the
keytab on the samba server.

Fourth step, added a simple samba configuration file on the future samba
server:

[global]
	workgroup = YYYY
	realm = XXXX
	dedicated keytab file = FILE:/etc/samba/samba.keytab
	kerberos method = dedicated keytab
	log file = /var/log/samba/log.%m
	max log size = 100000
	security = domain

Trying to join the server to the domain (net rpc join -U domainadmin -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.

Seems to me that the samba ipasam backend on ipa doesn't like something
in the host or the "domain computers" group object in ldap, but I cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.

Best regards   

-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
[New LWP 2559]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Failed to read a valid object file image from memory.
Core was generated by `/usr/sbin/smbd'.
Program terminated with signal 6, Aborted.
#0  0x00007fe01c9f15c9 in __GI_raise (sig=6, sig at entry=<error reading variable: Cannot access memory at address 0x7fff3f7cf968>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
-------------- next part --------------
Core was generated by `pdbedit -L gcentralproxy$'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007faea177db5b in _IO_vfprintf_internal (s=s at entry=0x7ffff4db20d0, format=<optimized out>, 
    format at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap at entry=0x7ffff4db2260) at vfprintf.c:1635
1635		  process_string_arg (((struct printf_spec *) NULL));
(gdb) bt
#0  0x00007faea177db5b in _IO_vfprintf_internal (s=s at entry=0x7ffff4db20d0, format=<optimized out>, 
    format at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap at entry=0x7ffff4db2260) at vfprintf.c:1635
#1  0x00007faea18401b5 in ___vsnprintf_chk (s=s at entry=0x7ffff4db225f "", maxlen=<optimized out>, maxlen at entry=1, flags=flags at entry=1, slen=slen at entry=1, 
    format=format at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", args=args at entry=0x7ffff4db2260) at vsnprintf_chk.c:63
#2  0x00007faea1d055c5 in vsnprintf (__ap=0x7ffff4db2260, __fmt=<optimized out>, __n=1, __s=0x7ffff4db225f "") at /usr/include/bits/stdio2.h:77
#3  talloc_vasprintf (t=t at entry=0x0, fmt=fmt at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap at entry=0x7ffff4db22c0)
    at ../talloc.c:2223
#4  0x00007faea1d02c89 in talloc_log (fmt=fmt at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n") at ../talloc.c:309
#5  0x00007faea1d02413 in talloc_chunk_from_ptr (ptr=ptr at entry=0x7fae91416ace) at ../talloc.c:377
#6  0x00007faea1d047a6 in talloc_chunk_from_ptr (ptr=0x7fae91416ace) at ../talloc.c:376
#7  __talloc (size=0, context=0x7fae91416ace) at ../talloc.c:578
#8  _talloc_named_const (name=0x7fae91416ab3 "talloc_new: ipa_sam.c:2950", size=0, context=0x7fae91416ace) at ../talloc.c:717
#9  talloc_named_const (context=context at entry=0x7fae91416ace, size=size at entry=0, name=name at entry=0x7fae91416ab3 "talloc_new: ipa_sam.c:2950") at ../talloc.c:1429
#10 0x00007fae91410a29 in ipasam_get_sid_by_gid (ldap_state=<optimized out>, ldap_state=<optimized out>, _sid=0x7faea5056b10, gid=1870500500) at ipa_sam.c:2950
#11 ipasam_get_primary_group_sid (_group_sid=<synthetic pointer>, entry=0x7faea503bde0, ldap_state=0x7faea5048360, mem_ctx=0x7faea5057120) at ipa_sam.c:3059
#12 init_sam_from_ldap (entry=0x7faea503bde0, sampass=0x7faea50565f0, ldap_state=0x7faea5048360) at ipa_sam.c:3145
#13 ldapsam_getsampwnam (methods=<optimized out>, user=0x7faea50565f0, sname=<optimized out>) at ipa_sam.c:3371
#14 0x00007faea2138bed in pdb_getsampwnam (sam_acct=sam_acct at entry=0x7faea50565f0, username=username at entry=0x7ffff4db36bb "gcentralproxy$")
    at ../source3/passdb/pdb_interface.c:333
#15 0x00007faea35081bd in print_user_info (username=0x7ffff4db36bb "gcentralproxy$", verbosity=<optimized out>, smbpwdstyle=<optimized out>)
    at ../source3/utils/pdbedit.c:361
#16 0x00007faea35060f1 in main (argc=<optimized out>, argv=<optimized out>) at ../source3/utils/pdbedit.c:1257
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5693 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141020/b8925546/attachment.bin>

More information about the Freeipa-users mailing list