I would have sworn my keytab was OK, but it wasn't and after re-doing that, it all came up like magic. I feel kinda dumb, but thanks for the pointers, Alexander.
On Thu, Jun 7, 2018 at 3:47 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On to, 07 kesä 2018, Kristian Petersen via FreeIPA-users wrote: > >> I am trying to get a file server set up using RHEL 7.5, Samba, and Red Hat >> IdM 4.5.0 I have an older file server that works and hav been using it as >> a template for build this new one from scratch. However, right now I >> can't >> get smb to start. I keep getting errors about ipasam.c in journalctl: >> >> Jun 06 13:53:30 fileserver1.cpms.byu.edu smbd[11624]: kerberos error: >> code=-1765328203, message=Keytab contains no suitable keys for cifs/ >> fileserver1.cpms.byu....@cpms.byu.edu >> Jun 06 13:53:31 fileserver1.cpms.byu.edu smbd[11624]: [2018/06/06 >> 13:53:31.815713, 0] ipa_sam.c:4245(bind_callback_cleanup) >> Jun 06 15:26:05 fileserver1.cpms.byu.edu smbd[12372]: Failed to get >> base >> DN. >> >> I have made sure that the cifs service is set up in IPA for fileserver1 >> and >> did an ipa-getkeytab to get a keytab for the service on fileserver1 as >> well >> which is why a was surprised to see a message about the keytab in the >> journal. >> > What keytab file do you use? Please provide you smb.conf/testparm -s > output. > > The message is very clear: it cannot find the key in the keytab file but > where does it look for it? > > >> A little earlier in the journal it also talks about being unable to do an >> anonymous bind to LDAP. It doesn't surprise me that it failed, but I >> tried >> supplying the LDAP bind creds using smbpasswd and that didn't seem to make >> any difference. It still tries an anonymous bind anyway which will never >> work. >> > Ignore "anonymous bind" in that message. Samba's libsmbldap code checks > if it has DN to bind and if not, says 'anonymous bind' in the logs. For > GSSAPI authentication there is no explicit bind DN provided, thus this > message. > > >> I have also already set up a role for giving fileserver1 the permissions >> necessary to allow it to read the ipaNTHash. >> >> P.S.: Before I sent this email to the list I upgraded one of my IPA >> servers >> to the new kernel in RHEL 7.5 and smb broke in what looks like the same >> way >> on that machine as well. It makes me wonder if this isn't a kernel >> problem >> rather than an IPA problem. The errors I got on that machine before >> rolling back to a working snapshot are below: >> >> Jun 06 16:27:05 ipa1.cpms.byu.edu smbd[12179]: kerberos error: >> code=-1765328360, message=Preauthentication failed >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 >> 16:27:06.332266, 0] ipa_sam.c:4556(pdb_init_ipasam) >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: Failed to get base DN. >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06 >> 16:27:06.332318, 0] >> ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) >> Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: pdb backend >> ipasam:ldapi://%2fvar%2frun%2fslapd-CPMS-BYU-EDU.socket did not correctly >> init >> > This is, by what I can see, is an issue with a keytab here. > > Can you do two things below, showing output of these commands > 1. > - kinit admin > - kvno -S cifs ipa1.cpms.byu.edu > > 2. > - kinit -kt /path/to/cifs.keytab cifs/ipa1.cpms.byu....@cpms.byu.edu > - klist -k /path/to/cifs.keytab -e > - klist > > I suspect that you messed up with kerberos keys by running > ipa-getkeytab, so now you have one version of the key at the KDC side > and a different one in the keytab file. And for the first part you seems > to be using a totally wrong keytab file. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3ED6VNIJ4QUDCBBZMZMESLHP5MQTXNJG/