Isilon OneFS not authenticating against Samba AD ?

Question

Hi, we are in the process of migrating our current environment consisting of an Isilon OneFS cluster (v8.0.0.4) serving SMB and NFS shares, LDAP servers (for authentication/authorization) and a mix of Linux, Mac en Windows clients to an environment which will use Samba AD as a replacement for LDAP for authentication/authorization. We managed to get the Isilon OneFS cluster to join the domain on the Samba AD server and we can get the user and group lists from the domain both on the command line and in the web interface of the Isilon OneFS cluster. However, authentication/authorization fails when trying to connect with a Windows, Mac or Linux client to a SMB share on the Isilon cluster. For the record, I am testing this on a seperate environment using the Isilon OneFS simulator v8.1.0.1. When I have a look in the logfiles I can find the following in the /var/log/lsass.log file ( I masked out our domain/user values) : 2018-04-04T14:11:49Z <30.4> dbg-test-1 lsass[2433]: [LwKrb5InitializeUserLoginCredentialsS4U /b/mnt/src/isilon/fsp/lwadvapi/threaded/lwkrb5.c:1390] KRB5 Error code: -1765328243 (Message: Matching credential not found (filename: /var/lib/likewise/krb5cc_lsass_S4U. )) 2018-04-04T14:11:49Z <30.3> dbg-test-1 lsass[2433]: [lsass] Failed to find group memberships of SID=S-1-5-21-1654374101-3569970681-3921896634-11811. [error code:41874] [Symbol: LW_ERROR_KRB5_CC_NOTFOUND] 2018-04-04T14:11:49Z <30.3> dbg-test-1 lsass[2433]: [lsass] Failed to find memberships for ' \ ' (error = 41874) Is there anyone who has this kind of setup working (Isilon OneFS with Samba AD) ? Any help would be greatly aprreciated !! Kind Regards, Michel van Deventer

Ryan_CSULB · Answer

Michel, I don't have this setup, so this may not be of much help, but that's a Kerberos issue. There is a .pdf that EMC has to troubleshoot Kerb issues (docu69146.pdf) and I found it helpful to find some minor issues with what I thought was a Kerberos issue. If you haven't used it already, it's worth a try to get the more obvious problems squared away.

I'm not entirely certain on your setup (never having run Samba AD here) but does the Samba server sort of act like a proxy to your main AD environment? If so, you may be running into a double-hop issue. Years ago I had this issue when I was trying to get a scale-out SQL Reporting environment set up (IIS web server, SQL server, SQL reporting server) and I had to call Microsoft to get assistance. At the time there was little information I could find that discussed this setup, and it took the engineer a few days, but he was able to come back exactly with the solution I needed and I was able to get it working. A few months later, a KB article showed up describing how to accomplish this sort of scale-out environment (I've always thought I was the reason for that KB article!).

So maybe completely unrelated, but I think it's worth making sure your Kerberos setup is correct (all SPN's exists, etc.) first. Then perhaps some time researching the double-hop issue to see if it gels with what you are seeing. Hopefully I'm not sending you on a wild goose chase.

Isilon

Was this post helpful?