6:11 p.m.
Vex Mage via FreeIPA-users wrote:
Hello,
I've personally been using FreeIPA for some time and I love it
immensely. I thought I'd start a post here due to the direction my
troubleshooting has gone instead of the Samba mailing list. Allow me to
explain what I've done, why I've done it and then the problem I'm having.
I just recently started working for a school and the school has
some Windows labs. A problem that has come to my attention is that the
OpenLDAP to Samba3 NT4 domain they've been using for years is no longer
compatible with Windows 10. To dispel any illusion, I'm not trying to
get the NT4 domain working nice with Windows 10. Additionally Samba4 has
changed its design structure such that OpenLDAP, or really any LDAP
server except Samba4's internal LDAP server, will no longer work for the
Active Directory.
The school would like the Windows machines in the labs to
authenticate students via their OpenLDAP credentials. I am open to
alternatives but the closest thing I found was adding local users on
each Windows workstation and having them authenticate to the FreeIPA
server. The problem here is that users will continually be added and
deleted. The Samba project would have us go all in with Samba4's
internal LDAP server. While I'm not directly knocking that, since from
my testing it seems to be quite functional, the upheaval would be
tremendous. Fortunately we were already looking into switching to 389
before I came on so I've been touting the possibility of replacing
OpenLDAP with FreeIPA before this Samba4 issue. A solution I thought
should work is to use a trust between a FreeIPA (IPA) and a Samba4
Active Directory (AD). I've since configured both and have created that
trust.
I have a Windows 10 machine connected to the Samba4 domain. When I
attempt to logon with an account from the IPA domain I am presented with
"Insufficient system resources exist to complete the requested service."
At first I took this message at face value and increased the memory of
the workstation from which I'm trying to logon. There are few results
from a Google search about this error without focusing on local memory.
After reading and troubleshooting I believe this is a failure may be in
the Kerberos InitializeSecurityContext function that's producing
SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and
seemingly not coming from Samba4 AD.
A couple things I've noticed; when I attempt to login as user@ipa
if the password is wrong Windows tell me my password is incorrect. If I
use the correct password I'm presented with that "Insufficient system
resources exist to complete the requested service." The Event Viewer
only shows me a generic logon error message. When I look at the Kerberos
logs on both systems I see on AD that the 'Realm not local to KDC' and a
'No matching key in entry' but on IPA I see 'Additional
pre-authentication required', then AS_REQ ISSUE and finally TGS_REQ ISSUE.
I continued to do a tcpdump on port 88 to see who was directly
communicating to the FreeIPA server and I found that the Windows
workstation was making a direct Kerberos request. I then expanded my
tcpdump to include all traffic from the workstation and upon another
logon attempt only port 88 was used to communicate to FreeIPA. I
therefore think that this is a Kerberos specific problem and not
necessarily a Samba4 problem. Unfortunately I'm not knowledgeable enough
in Kerberos to identify what's going on.
I don't know what information I should present, such as configs or
logs. Whatever is needed I can provide. I greatly appreciate any help,
advice or potentially other non management nightmare solutions! Thank
you all very much!
[root@freeipa-dev log]# ipa trustdomain-find ad.school.edu
<http://ad.school.edu>
Domain name: ad.school.edu <http://ad.school.edu>
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-276971437-2632767696-819257926
Domain enabled: True
----------------------------
Number of entries returned 1
----------------------------
It is probably due to the lack of Global Catalog on the IPA side.
rob