#3776 add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install
Closed: Invalid None Opened 7 years ago by rcritten.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 983237

Description of problem: samba crashes if ipaNTSecurityIdentifier is not present
on the "default smb group", the issue occurs if we do not specify --add-sids
option during ipa-adtrust-install.

Version-Release number of selected component (if applicable):

How reproducible: Always.

Steps to Reproduce:
1. Install IPA server,
2. Run ipa-adtrust-install (without --add-sids option)
3. Once it's completed, try using wbinfo/smbclient commands, watch the logs.

Actual results: smbd crashes due to missing ipaNTSecurityIdentifier attribute
on the default smb group.

Expected results: No samba crashes, wbinfo and smbclient returns proper

Tomas, please check this one.

I could not reproduce the issue. I set up a ipa server:

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the IPA Server.


Restarting the web server
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Run ipa-adtrust-install without --add-sids option:

[tbabej@vm-108 labtool]$ sudo ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password:

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters and digits are allowed.
Example: EXAMPLE.

NetBIOS domain name [DOM108]:

Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
  [7/18]: adding admin(group) SIDs
  [8/18]: adding RID bases
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
  [11/18]: activating sidgen plugin and task
  [12/18]: activating extdom plugin
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [16/18]: adding fallback group
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
        TCP Ports:
          * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.


However, Default SMB group has ipaNTSecurityIdentifier assigned:

[tbabej@vm-108 labtool]$ ldapsearch -h `hostname` 'cn=Default SMB Group' -Y GSSAPI
SASL/GSSAPI authentication started
SASL data security layer installed.
# extended LDIF
# LDAPv3
# base <dc=dom108,dc=tbad,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> (default) with scope subtree
# filter: cn=Default SMB Group
# requesting: ALL

# Default SMB Group, groups, compat, dom108.tbad.idm.lab.bos.redhat.com
dn: cn=Default SMB Group,cn=groups,cn=compat,dc=dom108,dc=tbad,dc=idm,dc=lab,d
objectClass: posixGroup
objectClass: top
gidNumber: 1386200001
cn: Default SMB Group

# Default SMB Group, groups, accounts, dom108.tbad.idm.lab.bos.redhat.com
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=dom108,dc=tbad,dc=idm,dc=lab
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to this gr
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
ipaUniqueID: 4e3278da-f30e-11e2-8493-001a4a104eaa
gidNumber: 1386200001
ipaNTSecurityIdentifier: S-1-5-21-190876497-2151327125-92415952-1001

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

This was done with the same version as reported:

[tbabej@vm-108 ~]$ rpm -q ipa-server

Also, running wbinfo commands does not cause smb service failure:

[tbabej@vm-108 labtool]$ sudo service winbind status
winbindd (pid  25385) is running...
[tbabej@vm-108 labtool]$ wbinfo -u
[tbabej@vm-108 labtool]$ sudo service winbind status
winbindd (pid  25385) is running...

Martin pointed out I overlooked the server's version minor number. Retested with

[tbabej@vm-108 labtool]$ rpm -q ipa-server                                                                                                                                                                                               

It produces the same results.

Raising the nsslapd-errorlog-level to plugin debugging value, I get the following from the /var/log/dirsrv/slapd-INSTANCE/errors:

[24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - Found domain SID [S-1-5-21-1105393625-3785239138-3571142316].
[24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - Trying to add SID for [cn=Default SMB Group,cn=groups,cn=accounts,dc=dom108,dc=tbadtest,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com].
[24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - SID is [S-1-5-21-1105393625-3785239138-3571142316-1001].
[24/Jul/2013:07:12:21 -0400] ipa-sidgen-postop - No SID found.

Changing status to mark that investigation has been conducted.

Moving all non-critical bugs to 3.3.x bug fixing bucket (FreeIPA 3.3 final was released).

This works as expected. Actual cause of problems is described here:


Just to close the loop, the original problem was caused an .ldaprc file in a root directory having SASL_MECH set to GSSAPI, so all calls to the ldapmodify binary used GSSAPI and tried to modify the cn=config entries as admin which is not allowed.

The default mech is EXTERNAL and in this case the root user is mapped to the directory manager which does have permissions to modify cn=config. After removing the .ldaprc file ipa-adtrust-install was successful.

See follow up ticket #3895.

Metadata Update from @rcritten:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.3.x - 2013/08 (bug fixing)

3 years ago

Login to comment on this ticket.