<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/20/2014 09:15 AM, Loris
Santamaria wrote:<br>
</div>
<blockquote cite="mid:1413810952.3012.22.camel@toron.pzo.lgs.com.ve"
type="cite">
<pre wrap="">Hi all,
I wanted to install a samba server (or more precisely a winbind server
for pptp authentication) in a IPA domain which trusts an AD domain.
I know that this configuration is not supported but since it works with
plain samba or samba+ldap I wanted to get it a shot to see how far one
could get.
First step, added a group for Domain Computers in ipa, with SID
S-1-XXXX-515:
dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: domaincomputers
description: domain computers
ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb
gidNumber: 1870500500
Second step, added posix attributes to the ipa host object where samba
would be installed, added SID information, and made it a member of the
domain computers group:
dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX
displayName: gcentralproxy
sn: proxy
givenName: gcentral
gecos: gcentralproxy
uidNumber: 1870400015
gidNumber: 1870500500
homeDirectory: /dev/null
loginShell: /sbin/nologin
uid: gcentralproxy$
ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301
cn: gcentralproxy.cosmeticosgenesis.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: ipantuserattrs
objectClass: posixAccount
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
fqdn: gcentralproxy.YYYYY
krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com@YYYY
serverHostName: gcentralproxy
Third step, I added a cifs service for the host in ipa, and exported the
keytab on the samba server.
Fourth step, added a simple samba configuration file on the future samba
server:
[global]
workgroup = YYYY
realm = XXXX
dedicated keytab file = <a class="moz-txt-link-freetext" href="FILE:/etc/samba/samba.keytab">FILE:/etc/samba/samba.keytab</a>
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
max log size = 100000
security = domain
Trying to join the server to the domain (net rpc join -U domainadmin -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.
Seems to me that the samba ipasam backend on ipa doesn't like something
in the host or the "domain computers" group object in ldap, but I cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.
Best regards
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Do I get it right that you really looking for
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/sssd/ticket/1588">https://fedorahosted.org/sssd/ticket/1588</a> that was just released
upstream?<br>
It would be cool if you can try using SSSD 1.12.1 under Samba FS in
the use case you have and provide feedback on how it works for you.<br>
<br>
AFAIU you install Samba FS and then use ipa-client to configure SSSD
under it and it should work.<br>
If not we probably should document it (but I do not see any special
design page which leads me to the above expectation).<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>