samba-operator icon indicating copy to clipboard operation
samba-operator copied to clipboard

Published 20 hours ago verified publisher icon samba-in-kubernetes

AD share is not aible to fetch own SID

Open turricum opened this issue 2 years ago • 26 comments

I installed the Samba Operator 0.2 on an Openshift 4.8 Barebone Cluster. I created some AD shares.

  1. the created share export pod is starting
  2. in AD (Samba 4.12.2) the computer object is created
  3. the pod has a CrashLoopBackOff, the wb container cannot start:
winbindd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list

yamls:

`apiVersion: v1
kind: Secret
metadata:
  name: join1
  namespace: samba-shares
type: Opaque
stringData:
  join.json: |
    {"username": "samba-container-join", "password": ":-)"}
---
apiVersion: samba-operator.samba.org/v1alpha1
kind: SmbSecurityConfig
metadata:
  name: addomain
  namespace: samba-shares
spec:
  mode: active-directory
  realm: ad.domain.com
  joinSources:
  - userJoin:
      secret: join1
      key: join.json
---
apiVersion: samba-operator.samba.org/v1alpha1
kind: SmbSecurityConfig
metadata:
  name: addomain
  namespace: samba-shares
spec:
  mode: active-directory
  realm: ad.domain.com
  joinSources:
  - userJoin:
      secret: join1
      key: join.json
apiVersion: samba-operator.samba.org/v1alpha1
kind: SmbCommonConfig
metadata:
  name: freigabe
  namespace: samba-shares
spec:
  network:
    publish: external
---
apiVersion: samba-operator.samba.org/v1alpha1
kind: SmbShare
metadata:
  name: testshare
  namespace: samba-shares
spec:
  commonConfig: freigabe
  securityConfig: addomain
  readOnly: false
  storage:
    pvc:
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi

samba-tool at the AD Server shows that the entry is created`

# samba-tool computer show TESTSHARE 
dn: CN=TESTSHARE,OU=Containers,OU=Domain Computers,DC=ad,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: TESTSHARE
instanceType: 4
whenCreated: 20220615103058.0Z
uSNCreated: 144306
name: TESTSHARE
objectGUID: 3adabc17-a938-47fa-843c-1e864b86e19e
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 515
objectSid: S-1-5-21-2358220382-4025805735-3930986455-1375
accountExpires: 9223372036854775807
sAMAccountName: TESTSHARE$
sAMAccountType: 805306369
servicePrincipalName: HOST/TESTSHARE.ad.domain.com
servicePrincipalName: RestrictedKrbHost/TESTSHARE.ad.domain.com
servicePrincipalName: HOST/TESTSHARE
servicePrincipalName: RestrictedKrbHost/TESTSHARE
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=domain,DC=com
isCriticalSystemObject: FALSE
dNSHostName: testshare.ad.domain.com
lastLogonTimestamp: 132997626582395210
msDS-SupportedEncryptionTypes: 31
pwdLastSet: 132997630161230470
userAccountControl: 4096
lastLogon: 132997630162023640
logonCount: 6
whenChanged: 20220615104727.0Z
uSNChanged: 144314
distinguishedName: CN=TESTSHARE,OU=Containers,OU=Domain Computers,DC=ad,DC=domain,DC=com

3) debug the pod / wb container

# oc get pods
NAME                                   READY   STATUS             RESTARTS   AGE
testshare-testshare-5986c96565-92gx9   1/2     CrashLoopBackOff   12         41m

# oc get logs testshare-5986c96565-92gx9 -c wb
winbindd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list

sh-5.1# samba-container 
[global]
	disable spoolss = yes
	fileid:algorithm = fsid
	load printers = no
	printcap name = /dev/null
	printing = bsd
	smb ports = 445
	vfs objects = fileid
	idmap config * : backend = autorid
	idmap config * : range = 2000-9999999
	realm = AD.DOMAIN.COM
	security = ads
	workgroup = AD
	netbios name = testshare

[testshare]
	path = /mnt/75067755-fe82-4f3c-841f-1ad7df34b5c8
	read only = no

and the same wenn I start debugging ...

[root@testshare-5986c96565-92gx9-debug /]# samba-container run winbindd
winbindd version 4.15.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2021
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list

so, there is a SID, AD says welcome and the Pod could not fetch the own SID.

turricum avatar Jun 15 '22 13:06 turricum