Bug 983237 - add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install
Summary: add ipaNTSecurityIdentifier to "Default SMB Group" during ipa-adtrust-install
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
Depends On:
TreeView+ depends on / blocked
Reported: 2013-07-10 19:14 UTC by Najmuddin Chirammal
Modified: 2014-06-18 07:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
ipa-adtrust-install, an Identity Management Active Directory Trust configuration tool, does not explicitly specify authentication mechanism when performing Active Directory Trust configuration changes. When the user specifis the default LDAP authentication mechanism other than the expected default (for example by setting the SASL_MECH configuration option to GSSAPI in LDAP configuration file for root user, .ldaprc), ipa-adtrust-install will not use the expected authentication mechanism and will fail to configure some of the parts of the Active Directory Integration feature, a crash of samba daemon (smbd) can occur or the user will be unable to use the feature. To work around this problem, remove any user default settings related to LDAP authentication mechanism from the .ldaprc file. The ipa-adtrust-install installer will then successfully configure the Active Directory integration feature.
Clone Of:
Last Closed: 2013-09-03 11:32:42 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Najmuddin Chirammal 2013-07-10 19:14:17 UTC
Description of problem: samba crashes if ipaNTSecurityIdentifier is not present on the "default smb group", the issue occurs if we do not specify --add-sids option during ipa-adtrust-install.

Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.4 

How reproducible: Always.

Steps to Reproduce:
1. Install IPA server,
2. Run ipa-adtrust-install (without --add-sids option)
3. Once it's completed, try using wbinfo/smbclient commands, watch the logs.

Actual results: smbd crashes due to missing ipaNTSecurityIdentifier attribute on the default smb group.

Expected results: No samba crashes, wbinfo and smbclient returns proper results.

Comment 2 Rob Crittenden 2013-07-11 13:25:38 UTC
Upstream ticket:

Comment 9 Martin Kosek 2013-09-03 11:31:12 UTC
This issue was caused by a configuration issue, adding a Known Issue doc paragraph.

Comment 10 Martin Kosek 2013-09-03 11:32:42 UTC
Closing the bug for 6.5, it will be only documented (and fixed upstream - https://fedorahosted.org/freeipa/ticket/3895).

Comment 11 Martin Kosek 2013-09-03 15:20:00 UTC
Fixed typo in doc text.

Note You need to log in before you can comment on or make changes to this bug.