Error message trying to authenticate Samba against our FreeIPA servers

General support questions
Post Reply
Shore-Bank
Posts: 8
Joined: 2021/02/06 00:47:57

Error message trying to authenticate Samba against our FreeIPA servers

Post by Shore-Bank » 2022/12/05 22:37:21

Hey all -

I'm having a hell of a time getting Samba to authenticate against our FreeIPA server, getting the error message "No builtin nor plugin backend for ipasam found" in the output of systemctl status smb. I'm not sure what the issue is, I'm installing stuff from the CentOS 7 repositories, but nothing is taking. I'm running Samba 4.10.16, sssd-libwbclient.x86_64 version 1.16.5-10.el7_9.13, and ipa-client.x86_64 version 4.6.8-5.el7.centos.12, per the versions available in the CentOS 7 repositories. I don't really see why this isn't working, everything that I've found online suggests that these packages and versions are what I need to have Samba authenticate against FreeIPA, but... that error message continues and I haven't a clue as to what's going on.

Code: Select all

● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2022-12-05 15:12:14 MST; 4s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
  Process: 2125 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=1/FAILURE)
 Main PID: 2125 (code=exited, status=1/FAILURE)
   Status: "Starting process..."

Dec 05 15:12:14 samba.example.com systemd[1]: Starting Samba SMB Daemon...
Dec 05 15:12:14 samba.example.com smbd[2125]: [2022/12/05 15:12:14.778199,  0] ../../source3...me)
Dec 05 15:12:14 samba.example.com smbd[2125]:   No builtin nor plugin backend for ipasam found
Dec 05 15:12:14 samba.example.com systemd[1]: smb.service: main process exited, code=exited,...URE
Dec 05 15:12:14 samba.example.com systemd[1]: Failed to start Samba SMB Daemon.
Dec 05 15:12:14 samba.example.com systemd[1]: Unit smb.service entered failed state.
Dec 05 15:12:14 samba.example.com systemd[1]: smb.service failed.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by TrevorH » 2022/12/06 09:58:59

Does the output from yum provides '*ipasam*' help?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Shore-Bank
Posts: 8
Joined: 2021/02/06 00:47:57

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by Shore-Bank » 2022/12/07 18:17:22

I'm... not sure. I get the following output, and maybe that's the solution, but this is not our IPA server - it is our fileserver, and an IPA client, sooo... I'm not sure if I need to install this or not. :P

EDIT 20221207: I did install that (package "ipa-server-trust-ad"), and that DID help the service start! Now, for whatever reason, it insists that I have no right to see these directories. :(

Code: Select all

[root@samba]# yum provides '*ipasam*'
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.centos.iad1.serverforge.org
 * centos-sclo-rh: mirrors.cmich.edu
 * centos-sclo-sclo: mirrors.raystedman.org
 * epel: ftp-chi.osuosl.org
 * extras: mirror.wdc1.us.leaseweb.net
 * remi-php56: mirror.usi.edu
 * remi-php81: mirror.usi.edu
 * remi-safe: mirror.usi.edu
 * updates: ftpmirror.your.org
ipa-server-trust-ad-4.6.8-5.el7.centos.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : base
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.4.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.5.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.6.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.7.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.9.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.10.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.11.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so



ipa-server-trust-ad-4.6.8-5.el7.centos.12.x86_64 : Virtual package to install packages required for Active Directory trusts
Repo        : updates
Matched from:
Filename    : /usr/lib64/samba/pdb/ipasam.so
Last edited by Shore-Bank on 2022/12/07 18:41:51, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by TrevorH » 2022/12/07 18:40:23

I tried to install that package and it pulls in ipa-client and -server/-server-common.

I'm suspecting you might have a configuration problem that leads it try to use that module.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Shore-Bank
Posts: 8
Joined: 2021/02/06 00:47:57

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by Shore-Bank » 2022/12/07 18:48:00

Well, I'm using samba-regedit to configure my Samba install, and have pulled the registry.tdb file from an older server (a CentOS 6 box that we are migrating FROM - I tried to use Alma 8 but it won't work with our 14 year old RAID controller 🙄) - but in HKEY_LOCAL_MACHINE/SOFTWARE/Samba/smbconf under global, we have passdb backend set to ipasam:"ldap://ipa1.example.com ldap://ipa2.example.com" set. That works on our older CentOS 6 box. It doesn't seem to at the moment - and our older CentOS 6 box does indeed have ipa-server and ipa-server-trust-ad installed. :P

Shore-Bank
Posts: 8
Joined: 2021/02/06 00:47:57

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by Shore-Bank » 2022/12/07 18:57:47

Never mind, SELinux issue. 😡

As soon as I set it to setenforce 0, worked great. Presumably I need to set it up such that everything under my Samba shares is considered by SELinux to be a "Samba" directory. :P

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by TrevorH » 2022/12/07 21:03:34

Read /etc/smb/smb.conf.example for selinux instructions.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Shore-Bank
Posts: 8
Joined: 2021/02/06 00:47:57

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by Shore-Bank » 2022/12/07 22:24:47

I actually got it all working! Even made a few tweaks to the samba-regedit configuration such that now our files aren't being written as executable all over the place, which is nice. Perhaps next, I'll set up ACLs, but. Baby steps.

For posterity and good internet karma: Basically, I just had to set a couple of Samba booleans for my shares, which we'll say all live under the /share directory:

Code: Select all

setsebool -P samba_create_home_dirs=1
setsebool -P samba_enable_home_dirs=1
setsebool -P samba_share_nfs=1
semanage fcontext -a -t samba_share_t "/share(/.*)?"
I figured out it was SELinux by carrying out the all-important test of running the setenforce 0 command (which sets SELinux into a permissive enforcement mode, audits stuff, but doesn't actually block anything), at which point I was able to connect like normal. That's when I KNEW it was SELinux. Then, I undid that by doing the setenforce 1 command, re-enabling SELinux into it's enforcing mode (with both audits AND blocks), ran those SELinux commands, and viola! I was then STILL able to connect, even with SELinux running.

A few further tests and reconfigurations of our Samba file shares later, and now I have files being created with a 0660 create mask and directories with a 0770 mask. I might go back to inherit permissions, but as you NEED the executable bit to traverse folders, I'm less inclined to do that.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Error message trying to authenticate Samba against our FreeIPA servers

Post by Whoever » 2022/12/08 03:52:16

TrevorH wrote:
2022/12/07 21:03:34
Read /etc/smb/smb.conf.example for selinux instructions.
Isn't that /etc/samba/smb.conf.example ?

Post Reply