Bug 983237 - add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install
add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
Depends On:
  Show dependency treegraph
Reported: 2013-07-10 15:14 EDT by Najmuddin Chirammal
Modified: 2014-06-18 03:09 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
ipa-adtrust-install, an Identity Management Active Directory Trust configuration tool, does not explicitly specify authentication mechanism when performing Active Directory Trust configuration changes. When the user specifis the default LDAP authentication mechanism other than the expected default (for example by setting the SASL_MECH configuration option to GSSAPI in LDAP configuration file for root user, .ldaprc), ipa-adtrust-install will not use the expected authentication mechanism and will fail to configure some of the parts of the Active Directory Integration feature, a crash of samba daemon (smbd) can occur or the user will be unable to use the feature. To work around this problem, remove any user default settings related to LDAP authentication mechanism from the .ldaprc file. The ipa-adtrust-install installer will then successfully configure the Active Directory integration feature.
Story Points: ---
Clone Of:
Last Closed: 2013-09-03 07:32:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Najmuddin Chirammal 2013-07-10 15:14:17 EDT
Description of problem: samba crashes if ipaNTSecurityIdentifier is not present on the "default smb group", the issue occurs if we do not specify --add-sids option during ipa-adtrust-install.

Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.4 

How reproducible: Always.

Steps to Reproduce:
1. Install IPA server,
2. Run ipa-adtrust-install (without --add-sids option)
3. Once it's completed, try using wbinfo/smbclient commands, watch the logs.

Actual results: smbd crashes due to missing ipaNTSecurityIdentifier attribute on the default smb group.

Expected results: No samba crashes, wbinfo and smbclient returns proper results.
Comment 2 Rob Crittenden 2013-07-11 09:25:38 EDT
Upstream ticket:
Comment 9 Martin Kosek 2013-09-03 07:31:12 EDT
This issue was caused by a configuration issue, adding a Known Issue doc paragraph.
Comment 10 Martin Kosek 2013-09-03 07:32:42 EDT
Closing the bug for 6.5, it will be only documented (and fixed upstream - https://fedorahosted.org/freeipa/ticket/3895).
Comment 11 Martin Kosek 2013-09-03 11:20:00 EDT
Fixed typo in doc text.

Note You need to log in before you can comment on or make changes to this bug.