Issue #4385: samba cannot access "Default SMB Group" - freeipa

freeipa

#4385 samba cannot access "Default SMB Group"

Closed: Fixed None Opened 9 years ago by tbabej.

Due to the recent changes in the permissions, samba can no longer read attributes necessary for the service to start:

oot@vm-212 ~]# export KRB5CCNAME=/tmp/foobar
[root@vm-212 ~]# kinit -kt /etc/samba/samba.keytab cifs/`hostname`@DOM212.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM
[root@vm-212 ~]# ldapsearch -Y GSSAPI -b "cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
SASL/GSSAPI authentication started
SASL username: cifs/vm-212.dom212.tbad.idm.lab.eng.brq.redhat.com@DOM212.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 4
result: 0 Success

# numResponses: 1

No attributes were returned, however, using root's credentials to connect:

[root@vm-212 ~]# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-DOM212-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL -b "cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Default SMB Group, groups, accounts, dom212.tbad.idm.lab.eng.brq.redhat.com
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=dom212,dc=tbad,dc=idm,dc=lab
 ,dc=eng,dc=brq,dc=redhat,dc=com
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to this gr
 oup
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
ipaUniqueID: fd00f598-f6d8-11e3-b3e9-001a4a2221c1
gidNumber: 1690200001
ipaNTSecurityIdentifier: S-1-5-21-1326922427-4033384866-1503685269-1001

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

we can see the attributes are there.

As a consenquence, since smb.service won't start, none of trust-related functionality works.

mkosek commented 9 years ago

Tomas volunteered to work on fixing the Trust related ACIs :)

pviktori commented 9 years ago

ef5309d trusts: Allow reading ipaNTSecurityIdentifier in user and group objects

Metadata Update from @tbabej:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 4.0 - 2014/06

7 years ago

Metadata

Assignee

tbabej

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.0 - 2014/06

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#4385 samba cannot access "Default SMB Group" Closed: Fixed None Opened 9 years ago by tbabej.

Metadata

#4385 samba cannot access "Default SMB Group"

Closed: Fixed None Opened 9 years ago by tbabej.