On Thu, 15 Sep 2016, Brook, Andy [CRI] wrote:
All, I’m working on setting up Samba to serve files from a server attached to our IPA domain. I followed the directions in https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA. Everything seems to work and I can access the files from another RHEL server attached to the same domain using a Kerberos ticket from a user from the trusted AD domain. However, I can’t access this share from a windows client that is also attached to the trusted AD domain.My smb.conf is as follows: [global] workgroup = IPA realm = IPA.DOMAIN kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab log file = /var/log/samba/log.%m log level = 3 security = ads load printers = no disable spoolss = yes map to guest = Never restrict anonymous = 2 [spacetest] path = /var/www writable = yes browsable = yes I put the keytab in place from the cifs service from the IPA server. I feel like I’m missing something small, but I can’t seem to find it. Logs from samba are here: http://pastebin.com/aMDXfR78
These logs show that your Windows client did not use Kerberos but tried to authenticate with password using NTLMSSP. This is not supported yet, as written on the page you used for the setup guidance. You need to find out why Windows client didn't use Kerberos. Is your trust to AD really working? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
