FreeIPA's ipasam module to Samba uses gethostname() call to identify own server's host name. This value is then used in multiple places, including construction of cifs/host.name principal. ipasam module always uses GSSAPI authentication when talking to LDAP, so Kerberos keys must be available in the /etc/samba/samba.keytab. However, if the principal was created using non-FQDN name but system reports FQDN name, ipasam will fail to acquire Kerberos credentials. Same with FQDN principal and non-FQDN hostname.
ipasam
Also host name and principal name must have the same case.
Report an error when configuring ADTrust instance with inconsistent runtime hostname and configuration. This prevents errors like this:
[20/21]: starting CIFS services ipa : CRITICAL CIFS services failed to start where samba logs have this: [2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM [2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect) Connection to LDAP server failed for the 16 try!
Metadata Update from @abbra: - Issue assigned to abbra
master:
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5.1 - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field rhbz adjusted to 1437378
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/1437378 (was: 1437378)
Log in to comment on this ticket.