<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/29/2014 08:15 AM, John Obaterspok
wrote:<br>
</div>
<blockquote
cite="mid:CAOscVdJmW2B-R3PGT516e+zGd=9hnQzNA8D+5EawDLF098qAwA@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I might be interested in this as well. Does this mean it
would be possible for a windows client to access samba FS
through IPA provided credentials?<br>
</div>
<div>Currently my Windows PC gets IPA ticket (through MIT
kerberos application) and can use this ticket to login to
Linux server via putty. I would jump up and down if I could
access samba FS in the same way from Windows:)</div>
<div><br>
</div>
<div>(I got sssd 1.12.1 and freeipa 4.1 running on F20)</div>
<div><br>
</div>
</div>
</blockquote>
I suspect that if you deploy Samba FS with SSSD configured as a
member server of the IPA domain it should be possible.<br>
<br>
<br>
<blockquote
cite="mid:CAOscVdJmW2B-R3PGT516e+zGd=9hnQzNA8D+5EawDLF098qAwA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>-- john</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-23 12:32 GMT+02:00 Sumit Bose <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">On Tue, Oct 21, 2014 at 07:49:11AM -0430,
Loris Santamaria wrote:<br>
> El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal
escribió:<br>
> > On 10/20/2014 09:15 AM, Loris Santamaria
wrote:<br>
><br>
> [...]<br>
><br>
> > ><br>
> > > Trying to join the server to the domain
(net rpc join -U domainadmin -S<br>
> > > ipaserver) fails, and it causes a samba
crash on the ipa server.<br>
> > > Investigating the cause of the crash I
found that pdbedit crashes as<br>
> > > well (backtrace attached). I couldn't get
a meaningful backtrace from<br>
> > > the samba crash however I attached it as
well.<br>
> > ><br>
> > > Seems to me that the samba ipasam backend
on ipa doesn't like something<br>
> > > in the host or the "domain computers"
group object in ldap, but I cannot<br>
> > > see what could be the problem. Perhaps
someone more familiar with the<br>
> > > ipasam code can spot it quickly.<br>
><br>
> > Do I get it right that you really looking for<br>
> > <a moz-do-not-send="true"
href="https://fedorahosted.org/sssd/ticket/1588"
target="_blank">https://fedorahosted.org/sssd/ticket/1588</a>
that was just released<br>
> > upstream?<br>
> > It would be cool if you can try using SSSD
1.12.1 under Samba FS in<br>
> > the use case you have and provide feedback on
how it works for you.<br>
> ><br>
> > AFAIU you install Samba FS and then use
ipa-client to configure SSSD<br>
> > under it and it should work.<br>
> > If not we probably should document it (but I
do not see any special<br>
> > design page which leads me to the above
expectation).<br>
><br>
> Ok, I'll happily try sssd 1.12.1.<br>
><br>
> Just a question, in smb.conf one should use
"security = domain" or<br>
> "security = ads"?<br>
<br>
</div>
</div>
'ads' because we want to use Kerberos. But there some other<br>
configuration options which needs attention, e.g. you have
to create a<br>
keytab for the cifs service and make it available to samba.
I'll try to<br>
set up an small howto page listing the needed steps and come
back to you<br>
early next week.<br>
<br>
bye,<br>
Sumit<br>
<div class="HOEnZb">
<div class="h5"><br>
><br>
> Best regards<br>
><br>
> --<br>
> Loris Santamaria linux user #70506 <a
moz-do-not-send="true"
href="mailto:xmpp%3Aloris@lgs.com.ve">xmpp:loris@lgs.com.ve</a><br>
> Links Global Services, C.A. <a
moz-do-not-send="true" href="http://www.lgs.com.ve"
target="_blank">http://www.lgs.com.ve</a><br>
> Tel: 0286 952.06.87 Cel: 0414 095.00.10 <a
moz-do-not-send="true"
href="mailto:sip%3A103@lgs.com.ve">sip:103@lgs.com.ve</a><br>
>
------------------------------------------------------------<br>
> "If I'd asked my customers what they wanted, they'd
have said<br>
> a faster horse" - Henry Ford<br>
<br>
<br>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">> --<br>
> Manage your subscription for the Freeipa-users
mailing list:<br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>