On Wed, Feb 24, 2021 at 03:32:54PM +1100, Lachlan Simpson via FreeIPA-users wrote:
On Tue, Feb 23, 2021, at 15:36, Lachlan Simpson via FreeIPA-users
wrote:
> I am seeing the following in the samba logs:
>
> [2021/02/23 14:57:23.259648, 0] ../../source3/smbd/server.c:1782(main)
> smbd version 4.12.3 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2020
> [2021/02/23 14:57:23.312207, 1]
../../source3/profile/profile.c:55(set_profile_level)
> INFO: Profiling turned OFF from pid 2360
> [2021/02/23 14:57:23.345139, 0] ipa_sam.c:3980(get_fallback_group_sid)
> Missing mandatory attribute ipaNTSecurityIdentifier.
> [2021/02/23 14:57:23.345184, 0] ipa_sam.c:4950(pdb_init_ipasam)
> Cannot find SID of fallback group.
> [2021/02/23 14:57:23.345194, 0]
../../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
> pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-TEST-IDM-COMPANY-COM.socket did
not correctly init (error was NT_STATUS_INVALID_PARAMETER)
> [2021/02/23 15:05:11.201577, 0] ../../source3/smbd/server.c:1782(main)
> smbd version 4.12.3 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2020
> [2021/02/23 15:05:11.212856, 1]
../../source3/profile/profile.c:55(set_profile_level)
> INFO: Profiling turned OFF from pid 3146
> [2021/02/23 15:05:11.234448, 0] ipa_sam.c:3980(get_fallback_group_sid)
> Missing mandatory attribute ipaNTSecurityIdentifier.
Hi,
thanks for you patience. It looks like there is an issue with the
fallback group. Please check with
ipa trustconfig-show
what is you fallback group and with
ipa group-show --all 'Group Name'
if it has a SID assigned. If there is no SID, please check if the group
has a GID from the id-range assigned to the IPA domain.
bye,
Sumit
>
> A quick search suggests that potentially my change of the RID has affected SMB but
I'm not 100% sure what to do next.
>
> I guess I need to add an ipaNTSecurityIdentifier variable - but I'm not sure
where.
>
> This page
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-i...
suggests that I need to add a sidgen to the FreeIPA users that exist, but those users were
created via the GUI - shouldn't the SID have been created then?
I have run ``ipa-adtrust-install --add-sids` - it finished without error but also without
success` - `ipactl restart` again fails on smb.
When I run an `ldapsearch` there is only one user entry without an
ipaNTSecurityIdentifier and that's the IPA admin user created on installation? Should
I just add an ipaNTSecurityIdentifier to the admin account?
Cheers
L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure