freeipa

Clone
Source Code
GIT

#6951 Update samba config file and use sss idmap module
Closed: fixed 4 years ago by cheimes. Opened 6 years ago by pvoborni.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1449133

Description of problem: Update samba config file and use sss idmap module


Version-Release number of selected component (if applicable):
samba-4.6.2-1.el7.x86_64
samba-python-4.6.2-1.el7.x86_64
samba-common-4.6.2-1.el7.noarch
samba-client-4.6.2-1.el7.x86_64
ipa-server-4.5.0-9.el7.x86_64
ipa-server-trust-ad-4.5.0-9.el7.x86_64
samba-winbind-modules-4.6.2-1.el7.x86_64
samba-winbind-4.6.2-1.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install IPA Server.
2. ipa-adtrust-install -a Secret123 --add-sids -U
3. Run testparm

Actual results:
[root@master ~]# ipa-adtrust-install -a Secret123 --add-sids -U
The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring CIFS
   [1/23]: validate server hostname
   [2/23]: stopping smbd
   [3/23]: creating samba domain object
   [4/23]: creating samba config registry
   [5/23]: writing samba config file
   [6/23]: adding cifs Kerberos principal
   [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
   [8/23]: check for cifs services defined on other replicas
   [9/23]: adding cifs principal to S4U2Proxy targets
   [10/23]: adding admin(group) SIDs
   [11/23]: adding RID bases
   [12/23]: updating Kerberos config
   'dns_lookup_kdc' already set to 'true', nothing to do.
   [13/23]: activating CLDAP plugin
   [14/23]: activating sidgen task
   [15/23]: configuring smbd to start on boot
   [16/23]: adding special DNS service records
   [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes
into account
   [18/23]: adding fallback group
   [19/23]: adding Default Trust View
   [20/23]: setting SELinux booleans
   [21/23]: starting CIFS services
   [22/23]: adding SIDs to existing users and groups
    This step may take considerable amount of time, please wait..
   [23/23]: restarting smbd
    Done configuring CIFS.

=======================================================
Setup complete

You must make sure these network ports are open:
            TCP Ports:
              * 135: epmap
              * 138: netbios-dgm
              * 139: netbios-ssn
              * 445: microsoft-ds
              * 1024..1300: epmap listener range
              * 3268: msft-gc
            UDP Ports:
              * 138: netbios-dgm
              * 139: netbios-ssn
              * 389: (C)LDAP
              * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

    [root@master ~]# testparm
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    lp_load_ex: changing to config backend registry
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Loaded services file OK.
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *!

    Server role: ROLE_DOMAIN_PDC

    Press enter to see a dump of your service definitions

    # Global parameters
    [global]
            realm = TESTRELM.TEST
            workgroup = TESTRELM
            domain master = Yes
            ldap group suffix = cn=groups,cn=accounts
            ldap machine suffix = cn=computers,cn=accounts
            ldap ssl = no
            ldap suffix = dc=testrelm,dc=test
            ldap user suffix = cn=users,cn=accounts
            log file = /var/log/samba/log.%m
            max log size = 100000
            domain logons = Yes
            registry shares = Yes
            disable spoolss = Yes
            dedicated keytab file = /etc/samba/samba.keytab
            kerberos method = dedicated keytab
            passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket
            security = USER
            create krb5 conf = No
            rpc_daemon:lsasd = fork
            rpc_daemon:epmd = fork
            rpc_server:tcpip = yes
            rpc_server:netlogon = external
            rpc_server:samr = external
            rpc_server:lsasd = external
            rpc_server:lsass = external
            rpc_server:lsarpc = external
            rpc_server:epmapper = external
            ldapsam:trusted = yes
            idmap config * : backend = tdb



Expected results: Fix the below messages displayed in testparm command.
    idmap range not specified for domain '*'
    ERROR: Invalid idmap range for domain *!

Additional info:

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1449133
6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1449133
6 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7
6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

master:

  • 4ba8886 Set idmap config for Samba to follow IPA ranges and use SSSD
  • b2c5691 Enforce SMBLoris attack protection in default Samba configuration

ipa-4-6:

  • 7214a31 Set idmap config for Samba to follow IPA ranges and use SSSD
  • 06f10eb Enforce SMBLoris attack protection in default Samba configuration

ipa-4-7:

  • fad7cad Set idmap config for Samba to follow IPA ranges and use SSSD
  • b530dad Enforce SMBLoris attack protection in default Samba configuration

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

ipa-4-6:

  • 37fa917 Use unicode strings for Python 2 version
  • fa0b273 ipa_sam: remove dependency to talloc_strackframe.h
  • 910e563 Remove ZERO_STRUCT() call
  • 95c91b5 ipasam: use SID formatting calls to libsss_idmap

master:

  • e873577 ipatests: add check that ipa-adtrust-install generates sane smb.conf

ipa-4-8:

  • 8cbf47a ipatests: add check that ipa-adtrust-install generates sane smb.conf

ipa-4-6:

  • a8fbbb1 ipatests: add check that ipa-adtrust-install generates sane smb.conf

ipa-4-7:

  • e2a7e73 ipatests: add check that ipa-adtrust-install generates sane smb.conf

master:

  • 68c72e3 Privilege: add a helper checking if a principal has a given privilege
  • 911992b ipa-adtrust-install: run remote configuration for new agents
  • fc4c3ac ipatests: add test for ipa-adtrust-install --add-agents

ipa-4-7:

  • 2b5c409 Privilege: add a helper checking if a principal has a given privilege
  • 3a880ff ipa-adtrust-install: run remote configuration for new agents
  • 59b09f1 ipatests: add test for ipa-adtrust-install --add-agents

ipa-4-6:

  • d051d2d Privilege: add a helper checking if a principal has a given privilege
  • f9fcd2c ipa-adtrust-install: run remote configuration for new agents
  • 796c86a ipatests: add test for ipa-adtrust-install --add-agents

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1449133
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.