[Freeipa-devel] using freeipa as a samba backend

Simo Sorce ssorce at redhat.com
Thu May 8 13:08:58 UTC 2008 

On Wed, 2008-05-07 at 18:53 -0500, William Baker wrote:
> I've got an existing FDS running as LDAP backend for Samba.  I maintain 
> accounts in that system with the smbldap- tools.  I read somewhere that 
> the ipa- tools should create the LM hash for Samba, but I don't seem to 
> find that documentation now.

the password change module will generate NT/LM hashes if the
sambaSamAccount objectclass is present on the object.

> I've also followed along enough to know 
> that the true Samba integration is really a V2 feature.

possibly

> Is it possible now to use the ipa-useradd tool in smb.conf?

The only problem with that is that you need valid kerberos credentials
and the right to create user objects in the tree. You should be able to
create a special user for that and obtain a keytab which you will use to
get a valid ticket. But no it won't work as is.

> I suppose the smbldap-tools should continue to work with FreeIPA, though 
> I could imagine this might not be "best practice".

If you use it only to create machine accounts it might be ok. For users
it is probably not as it would miss many objectclasses and attributes
IPA requires.

> Is there a "best practice" for using FreeIPA with Samba?

Not at this moment.

> I would really like an approach 
> that allowed me to use V1 today and transition to V2 without too much pain.
> 
> Sorry if I'm asking an obvious question that I should see in the MAN 
> pages.  I can't boot my FreeIPA server right now since FDS can't find 
> the DNS server, and the boot process hangs with a message about 
> initializing sbus.

I would add the public ip and hostname to /etc/hosts
Also using nscd may help at boot (we should set it on by default,
exzactly to handle dbus startup issues).

> I've seen this before when using LDAP as a backend 
> user account manager and know how to deal with it, as soon as I figure 
> out how to boot a different runlevel in a Xend VM.  But that's not 
> really the problem I'm asking about here.  If anyone asks, I can detail 
> the problem more clearly for other normal "users" that will have the 
> same problem after Fedora 9 is released.

We still have minor bugs we are going to address with an update once
Fedora 9 is released, feel free to open bugzillas if you find bugs.

> By the way, congrats on getting V1 into Fedora 9.  You'll probably know 
> how long it took FDS to get into the Fedora repository.  Everybody 
> should be pleased to see FreeIPA progressing so well.

Thanks,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list