[Freeipa-users] Woes adding a samba server to the ipa domain
Loris Santamaria
loris at lgs.com.ve
Mon Oct 20 13:15:52 UTC 2014
Hi all,
I wanted to install a samba server (or more precisely a winbind server
for pptp authentication) in a IPA domain which trusts an AD domain.
I know that this configuration is not supported but since it works with
plain samba or samba+ldap I wanted to get it a shot to see how far one
could get.
First step, added a group for Domain Computers in ipa, with SID
S-1-XXXX-515:
dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: domaincomputers
description: domain computers
ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb
gidNumber: 1870500500
Second step, added posix attributes to the ipa host object where samba
would be installed, added SID information, and made it a member of the
domain computers group:
dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX
displayName: gcentralproxy
sn: proxy
givenName: gcentral
gecos: gcentralproxy
uidNumber: 1870400015
gidNumber: 1870500500
homeDirectory: /dev/null
loginShell: /sbin/nologin
uid: gcentralproxy$
ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301
cn: gcentralproxy.cosmeticosgenesis.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: ipantuserattrs
objectClass: posixAccount
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
fqdn: gcentralproxy.YYYYY
krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com at YYYY
serverHostName: gcentralproxy
Third step, I added a cifs service for the host in ipa, and exported the
keytab on the samba server.
Fourth step, added a simple samba configuration file on the future samba
server:
[global]
workgroup = YYYY
realm = XXXX
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
max log size = 100000
security = domain
Trying to join the server to the domain (net rpc join -U domainadmin -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.
Seems to me that the samba ipasam backend on ipa doesn't like something
in the host or the "domain computers" group object in ldap, but I cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.
Best regards
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
[New LWP 2559]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Failed to read a valid object file image from memory.
Core was generated by `/usr/sbin/smbd'.
Program terminated with signal 6, Aborted.
#0 0x00007fe01c9f15c9 in __GI_raise (sig=6, sig at entry=<error reading variable: Cannot access memory at address 0x7fff3f7cf968>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
-------------- next part --------------
Core was generated by `pdbedit -L gcentralproxy$'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007faea177db5b in _IO_vfprintf_internal (s=s at entry=0x7ffff4db20d0, format=<optimized out>,
format at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap at entry=0x7ffff4db2260) at vfprintf.c:1635
1635 process_string_arg (((struct printf_spec *) NULL));
(gdb) bt
#0 0x00007faea177db5b in _IO_vfprintf_internal (s=s at entry=0x7ffff4db20d0, format=<optimized out>,
format at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap at entry=0x7ffff4db2260) at vfprintf.c:1635
#1 0x00007faea18401b5 in ___vsnprintf_chk (s=s at entry=0x7ffff4db225f "", maxlen=<optimized out>, maxlen at entry=1, flags=flags at entry=1, slen=slen at entry=1,
format=format at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", args=args at entry=0x7ffff4db2260) at vsnprintf_chk.c:63
#2 0x00007faea1d055c5 in vsnprintf (__ap=0x7ffff4db2260, __fmt=<optimized out>, __n=1, __s=0x7ffff4db225f "") at /usr/include/bits/stdio2.h:77
#3 talloc_vasprintf (t=t at entry=0x0, fmt=fmt at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n", ap=ap at entry=0x7ffff4db22c0)
at ../talloc.c:2223
#4 0x00007faea1d02c89 in talloc_log (fmt=fmt at entry=0x7faea1d09718 "talloc: access after free error - first free may be at %s\n") at ../talloc.c:309
#5 0x00007faea1d02413 in talloc_chunk_from_ptr (ptr=ptr at entry=0x7fae91416ace) at ../talloc.c:377
#6 0x00007faea1d047a6 in talloc_chunk_from_ptr (ptr=0x7fae91416ace) at ../talloc.c:376
#7 __talloc (size=0, context=0x7fae91416ace) at ../talloc.c:578
#8 _talloc_named_const (name=0x7fae91416ab3 "talloc_new: ipa_sam.c:2950", size=0, context=0x7fae91416ace) at ../talloc.c:717
#9 talloc_named_const (context=context at entry=0x7fae91416ace, size=size at entry=0, name=name at entry=0x7fae91416ab3 "talloc_new: ipa_sam.c:2950") at ../talloc.c:1429
#10 0x00007fae91410a29 in ipasam_get_sid_by_gid (ldap_state=<optimized out>, ldap_state=<optimized out>, _sid=0x7faea5056b10, gid=1870500500) at ipa_sam.c:2950
#11 ipasam_get_primary_group_sid (_group_sid=<synthetic pointer>, entry=0x7faea503bde0, ldap_state=0x7faea5048360, mem_ctx=0x7faea5057120) at ipa_sam.c:3059
#12 init_sam_from_ldap (entry=0x7faea503bde0, sampass=0x7faea50565f0, ldap_state=0x7faea5048360) at ipa_sam.c:3145
#13 ldapsam_getsampwnam (methods=<optimized out>, user=0x7faea50565f0, sname=<optimized out>) at ipa_sam.c:3371
#14 0x00007faea2138bed in pdb_getsampwnam (sam_acct=sam_acct at entry=0x7faea50565f0, username=username at entry=0x7ffff4db36bb "gcentralproxy$")
at ../source3/passdb/pdb_interface.c:333
#15 0x00007faea35081bd in print_user_info (username=0x7ffff4db36bb "gcentralproxy$", verbosity=<optimized out>, smbpwdstyle=<optimized out>)
at ../source3/utils/pdbedit.c:361
#16 0x00007faea35060f1 in main (argc=<optimized out>, argv=<optimized out>) at ../source3/utils/pdbedit.c:1257
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5693 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141020/b8925546/attachment.bin>
More information about the Freeipa-users
mailing list