Permissions problem with NethServer and remote AD 2008 SP2

troublestarter · April 30, 2018, 10:14am

Hi
Users permissions not functiun well with shared folders and permissions.

Here my informations

Account provider

i have saved again information and here is the ouput of /var/log/messages logs

Apr 30 12:13:25 srv-data systemd: Reloading.
Apr 30 12:13:25 srv-data systemd: Starting System Security Services Daemon…
Apr 30 12:13:25 srv-data sssd: Starting up
Apr 30 12:13:25 srv-data sssd[be[chabert.internal]]: Starting up
Apr 30 12:13:25 srv-data sssd[nss]: Starting up
Apr 30 12:13:25 srv-data sssd[pam]: Starting up
Apr 30 12:13:25 srv-data systemd: Started System Security Services Daemon.
Apr 30 12:13:25 srv-data esmith::event[20137]: [INFO] sssd has been started
Apr 30 12:13:25 srv-data esmith::event[20137]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.51964]
Apr 30 12:13:25 srv-data esmith::event[20137]: Event: nethserver-sssd-save SUCCESS
Apr 30 12:13:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 12:13:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 12:13:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 12:13:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 12:13:26 srv-data sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Apr 30 12:13:26 srv-data sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Apr 30 12:13:26 srv-data sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.

troublestarter · April 30, 2018, 10:18am

[root@srv-data ~]# config show sssd
sssd=service
    AdDns=172.30.0.24
    BaseDN=DC=chabert,DC=internal
    BindDN=
    BindPassword=
    GroupDN=DC=chabert,DC=internal
    LdapURI=ldap://dc2008.chabert.internal
    Provider=ad
    Realm=CHABERT.INTERNAL
    StartTls=
    UserDN=DC=chabert,DC=internal
    Workgroup=CHABERT
    status=enabled

[root@srv-data ~]# config show dns
dns=configuration
    NameServers=172.30.0.24,8.8.8.8

[root@srv-data ~]# config show nsdc
[root@srv-data ~]#

[root@srv-data ~]# cat /etc/hosts
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#


#
# 10localhost
#
127.0.0.1       localhost       localhost.localdomain


#
# 20hostname(s)
#
172.30.0.12             srv-data.chabert.internal srv-data



#
# 30hosts_remote
#


#
# 40hosts_local
#

troublestarter · April 30, 2018, 10:35am

Maybe the domain controller is too old …
I’m trying to update it or migrate the AD version in major release…

mrmarkuz · April 30, 2018, 11:20am

Hi David,

you may try “ldaps://…” with STARTTLS “no” or “ldap://” with STARTTLS “yes”. Sometimes unbind and rejoin helps. Different system clocks could be a problem too.

http://docs.nethserver.org/en/v7/accounts.html#join-an-existing-active-directory-domain

This may be a problem. The Google DNS 8.8.8.8 is not able to resolve your AD domain so please try to remove it and use the internal DNS only.

troublestarter · April 30, 2018, 12:28pm

1 -> Delete 8.8.8.8 from secondary DNS Server OK
2-> Validated again “Account provider” and ask to rejoin domain OK
3-> Go to “Domain account” -> Still “Could not connect to accounts provider!” error.

troublestarter · April 30, 2018, 12:35pm

Try with ldap with STARTLS and ldaps with no tls

same errors
Apr 30 14:34:25 srv-data esmith::event[24138]: Event: nethserver-sssd-save SUCCESS
Apr 30 14:34:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 14:34:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 14:34:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 14:34:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 14:34:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 14:34:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 14:34:25 srv-data sssd: ; TSIG error with server: tsig verify failure
Apr 30 14:34:32 srv-data xe-daemon: Running CollectOS …
Apr 30 14:34:32 srv-data xe-daemon: Running CollectMisc …
Apr 30 14:34:32 srv-data xe-daemon: Running CollectNetworkAddr …

pike · April 30, 2018, 12:37pm

do nethserver resolve correctly the hostname for “dc2008.chabert.internal”?
Poor answer: yes, is already joined at the domain.

But my little question is: why join the doman and use LDAP auth?

troublestarter · April 30, 2018, 12:55pm

I’ve used domain join…
So i have put informations like asked by documentation :

troublestarter · April 30, 2018, 1:02pm

i don’t want to use ldap.
MY problem is that :

i have a lots permissions problem with shared folders…
Is there a command to test shared folder access with specific AD account ?

pike · April 30, 2018, 1:13pm

Join went ok with TLS disabled. Should LDAP connection have TLS disabled too?

mrmarkuz · April 30, 2018, 10:11pm

You may use smbclient:

smbclient //yourserver/sharetotest -U admin

https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

troublestarter · May 3, 2018, 10:32am

I think the problem come from the windows server.

Is there a way to migrate fsmo roles to nethserver to have the nethserver working as PDC ?

mrmarkuz · May 3, 2018, 10:52am

Usually I’d agree but it should work with 2008 AFAIK.

It’s still experimental as you need to join the AD as DC to get the roles:

https://wiki.nethserver.org/doku.php?id=howto:add_ns7_samba_domain_controller_to_existing_active_directory

I played with joining as DC some time ago but it wasn’t stable: