Due to the recent changes in the permissions, samba can no longer read attributes necessary for the service to start:
oot@vm-212 ~]# export KRB5CCNAME=/tmp/foobar [root@vm-212 ~]# kinit -kt /etc/samba/samba.keytab cifs/`hostname`@DOM212.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM [root@vm-212 ~]# ldapsearch -Y GSSAPI -b "cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" SASL/GSSAPI authentication started SASL username: cifs/vm-212.dom212.tbad.idm.lab.eng.brq.redhat.com@DOM212.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1
No attributes were returned, however, using root's credentials to connect:
[root@vm-212 ~]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-DOM212-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL -b "cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Default SMB Group, groups, accounts, dom212.tbad.idm.lab.eng.brq.redhat.com dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab ,dc=eng,dc=brq,dc=redhat,dc=com cn: Default SMB Group description: Fallback group for primary group RID, do not add users to this gr oup objectClass: top objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs ipaUniqueID: fd00f598-f6d8-11e3-b3e9-001a4a2221c1 gidNumber: 1690200001 ipaNTSecurityIdentifier: S-1-5-21-1326922427-4033384866-1503685269-1001 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
we can see the attributes are there.
As a consenquence, since smb.service won't start, none of trust-related functionality works.
Tomas volunteered to work on fixing the Trust related ACIs :)
Metadata Update from @tbabej: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.0 - 2014/06
Login to comment on this ticket.