Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 983237
Description of problem: samba crashes if ipaNTSecurityIdentifier is not present on the "default smb group", the issue occurs if we do not specify --add-sids option during ipa-adtrust-install. Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.4 How reproducible: Always. Steps to Reproduce: 1. Install IPA server, 2. Run ipa-adtrust-install (without --add-sids option) 3. Once it's completed, try using wbinfo/smbclient commands, watch the logs. Actual results: smbd crashes due to missing ipaNTSecurityIdentifier attribute on the default smb group. Expected results: No samba crashes, wbinfo and smbclient returns proper results.
Tomas, please check this one.
I'll look into it.
I could not reproduce the issue. I set up a ipa server:
The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. [...] Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
Run ipa-adtrust-install without --add-sids option:
[tbabej@vm-108 labtool]$ sudo ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters and digits are allowed. Example: EXAMPLE. NetBIOS domain name [DOM108]: Configuring CIFS [1/18]: stopping smbd [2/18]: creating samba domain object [3/18]: creating samba config registry [4/18]: writing samba config file [5/18]: adding cifs Kerberos principal [6/18]: adding cifs principal to S4U2Proxy targets [7/18]: adding admin(group) SIDs [8/18]: adding RID bases [9/18]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [10/18]: activating CLDAP plugin [11/18]: activating sidgen plugin and task [12/18]: activating extdom plugin [13/18]: configuring smbd to start on boot [14/18]: adding special DNS service records [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [16/18]: adding fallback group [17/18]: setting SELinux booleans [18/18]: starting CIFS services Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds Additionally you have to make sure the FreeIPA LDAP server is not reachable by any domain controller in the Active Directory domain by closing down the following ports for these servers: TCP Ports: * 389, 636: LDAP/LDAPS You may want to choose to REJECT the network packets instead of DROPing them to avoid timeouts on the AD domain controllers. =============================================================================
However, Default SMB group has ipaNTSecurityIdentifier assigned:
[tbabej@vm-108 labtool]$ ldapsearch -h `hostname` 'cn=Default SMB Group' -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin@DOM108.TBAD.IDM.LAB.BOS.REDHAT.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=dom108,dc=tbad,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> (default) with scope subtree # filter: cn=Default SMB Group # requesting: ALL # # Default SMB Group, groups, compat, dom108.tbad.idm.lab.bos.redhat.com dn: cn=Default SMB Group,cn=groups,cn=compat,dc=dom108,dc=tbad,dc=idm,dc=lab,d c=bos,dc=redhat,dc=com objectClass: posixGroup objectClass: top gidNumber: 1386200001 cn: Default SMB Group # Default SMB Group, groups, accounts, dom108.tbad.idm.lab.bos.redhat.com dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=dom108,dc=tbad,dc=idm,dc=lab ,dc=bos,dc=redhat,dc=com cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaUniqueID: 4e3278da-f30e-11e2-8493-001a4a104eaa gidNumber: 1386200001 ipaNTSecurityIdentifier: S-1-5-21-190876497-2151327125-92415952-1001 # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2
This was done with the same version as reported:
[tbabej@vm-108 ~]$ rpm -q ipa-server ipa-server-3.0.0-25.el6.x86_64
Also, running wbinfo commands does not cause smb service failure:
[tbabej@vm-108 labtool]$ sudo service winbind status winbindd (pid 25385) is running... [tbabej@vm-108 labtool]$ wbinfo -u TBAD\administrator TBAD\guest TBAD\krbtgt TBAD\ipa$ TBAD\dom108$ [tbabej@vm-108 labtool]$ sudo service winbind status winbindd (pid 25385) is running...
Martin pointed out I overlooked the server's version minor number. Retested with
[tbabej@vm-108 labtool]$ rpm -q ipa-server ipa-server-3.0.0-26.el6_4.4.x86_64
It produces the same results.
Raising the nsslapd-errorlog-level to plugin debugging value, I get the following from the /var/log/dirsrv/slapd-INSTANCE/errors:
[24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - Found domain SID [S-1-5-21-1105393625-3785239138-3571142316]. [24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - Trying to add SID for [cn=Default SMB Group,cn=groups,cn=accounts,dc=dom108,dc=tbadtest,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com]. [24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - SID is [S-1-5-21-1105393625-3785239138-3571142316-1001]. [24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - No SID found.
Changing status to mark that investigation has been conducted.
Moving all non-critical bugs to 3.3.x bug fixing bucket (FreeIPA 3.3 final was released).
This works as expected. Actual cause of problems is described here:
https://fedorahosted.org/freeipa/ticket/3891
Just to close the loop, the original problem was caused an .ldaprc file in a root directory having SASL_MECH set to GSSAPI, so all calls to the ldapmodify binary used GSSAPI and tried to modify the cn=config entries as admin which is not allowed.
.ldaprc
The default mech is EXTERNAL and in this case the root user is mapped to the directory manager which does have permissions to modify cn=config. After removing the .ldaprc file ipa-adtrust-install was successful.
See follow up ticket #3895.
Metadata Update from @rcritten: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.3.x - 2013/08 (bug fixing)
Login to comment on this ticket.