Apparently, after the patches for #3859 were pushed, the smb.service will not start anymore:
This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. Configuring CIFS [1/20]: stopping smbd ... [18/20]: setting SELinux booleans [19/20]: starting CIFS services ipa : CRITICAL CIFS services failed to start [20/20]: adding SIDs to existing users and groups Done configuring CIFS.
From the journal and strace investigation we can conclude that smbd process does read the /etc/samba/samba.keytab file, but reports finding no suitable keys for cifs principal:
smbd[10279]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM
Looking at the contents of the samba.keytab, it seems that the keys are there, but enctypes are broken. Compare the following (you need to compare enctypes, so scroll to the right):
Samba keytab with #3859 patches applied:
[root@vm-136 slapd-DOM136-TBAD-IDM-LAB-ENG-BRQ-REDHAT-COM]# klist -e -t -k /etc/samba/samba.keytab Keytab name: FILE:/etc/samba/samba.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 274) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 273) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 272) 1 06/26/2014 13:03:01 cifs/vm-136.dom136.tbad.idm.lab.eng.brq.redhat.com@DOM136.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (etype 279)
This is how a regular samba.keytab looks like before #3859:
[tbabej@vm-139 ~]$ sudo klist -e -t -k /etc/samba/samba.keytab Keytab name: FILE:/etc/samba/samba.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (aes256-cts-hmac-sha1-96) 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (aes128-cts-hmac-sha1-96) 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (des3-cbc-sha1) 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (arcfour-hmac) 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (camellia128-cts-cmac) 1 06/23/2014 16:28:59 cifs/vm-139.dom139.tbad.idm.lab.eng.brq.redhat.com@DOM139.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM (camellia256-cts-cmac)
This blocks 4.0 release.
master:
Metadata Update from @tbabej: - Issue assigned to simo - Issue set to the milestone: FreeIPA 4.0 - 2014/06
Login to comment on this ticket.