<div dir="ltr"><div><div><div>Interestingly enough, I have almost the same setup here. <br></div><br></div>I did an ipa-server install, then did ipa-adtrust-install. Afterward, I went through and grabbed the configs with 'net conf list' and modified it to use my shares. This one is just my testing, but the production one works perfectly!<br><br></div>How did you import your users? I did mine my setting up an openldap and importing an ldif with the proper DN values. Then ran ipa migrate-ds. In some cases, certain data didn't migrate, so I added that with ldapmodify as necessary.<br><br>Here's what my samba config looks like with 'net conf list'. It seems it's pretty much the same as yours. Except for mine working, of course.<br><div><div><div><div><div><br>[global]<br> workgroup = EXAMPLE<br> realm = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br> passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket<br> dedicated keytab file = FILE:/etc/samba/samba.keytab<br> kerberos method = dedicated keytab<br> log file = /var/log/samba/log.%m<br> max log size = 100000<br> disable spoolss = Yes<br> domain logons = Yes<br> domain master = Yes<br> ldap group suffix = cn=groups,cn=accounts<br> ldap machine suffix = cn=computers,cn=accounts<br> ldap suffix = dc=example,dc=com<br> ldap ssl = no<br> ldap user suffix = cn=users,cn=accounts<br> registry shares = Yes<br> create krb5 conf = No<br> rpc_daemon:lsasd = fork<br> rpc_daemon:epmd = fork<br> rpc_server:tcpip = yes<br> rpc_server:netlogon = external<br> rpc_server:samr = external<br> rpc_server:lsasd = external<br> rpc_server:lsass = external<br> rpc_server:lsarpc = external<br> rpc_server:epmapper = external<br> ldapsam:trusted = yes<br> idmap config * : backend = tdb<br><br>[homes]<br> browseable = no<br> comment = Home Directories<br> read only = no<br><br>[share1]<br> browseable = yes<br> read only = no<br> path = /srv/samba/share1<br> comment = Temporary Public Share<br> valid users = @testgroup<br><br></div><div>Cheers,<br><br>herlo<br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 28, 2014 at 12:36 PM, Jason Smith <span dir="ltr"><<a href="mailto:jasonsmith@attask.com" target="_blank">jasonsmith@attask.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>A little history. We migrated from an OpenLDAP system to FreeIPA. The IPA version is listed above. I have samba installed and integrated directly on the FreeIPA box.<br></div><div>The problem we're having are users who were migrated can no longer can see the samba shares. We are connecting to these shares through Mac OSX. When accessing the share with smbclient -L <a href="mailto:mydomain@domain.com" target="_blank">mydomain@domain.com</a> I get the response <b>session setup failed: NT_STATUS_CONNECTION_DISCONNECTED. </b>This is the response I get when connected to the FreeIPA/Samba box.</div><div><br></div><div>Users were able to access these shares, then overnight, they weren't. No changes were made to the samba config or the FreeIPA. <b>Any new user created through FreeIPA can see and browse any share they have access to.</b></div><div><b><br></b></div><div>If there's any other information needed, please let me know. Thank you!!!</div><div><b><br></b></div><div>Below are a couple configs I have set:</div><div><br></div><div><b>Samba global settings</b></div><div><div>[global]</div><div> workgroup = ATTASK</div><div> netbios name = IPA01</div><div> realm = ATTASK.CORP</div><div> passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket</div><div> kerberos method = dedicated keytab</div><div> dedicated keytab file = FILE:/etc/samba/samba.keytab</div><div> log file = /var/log/samba/log.%m</div><div> max log size = 100000</div><div> disable spoolss = Yes</div><div> domain logons = Yes</div><div> domain master = Yes</div><div> ldap group suffix = cn=groups,cn=accounts</div><div> ldap machine suffix = cn=computers,cn=accounts</div><div> ldap suffix = dc=attask,dc=corp</div><div> ldap ssl = no</div><div> ldap user suffix = cn=users,cn=accounts</div><div> registry shares = Yes</div><div> create krb5 conf = No</div><div> rpc_daemon:lsasd = fork</div><div> rpc_daemon:epmd = fork</div><div> rpc_server:tcpip = yes</div><div> rpc_server:netlogon = external</div><div> rpc_server:samr = external</div><div> rpc_server:lsasd = external</div><div> rpc_server:lsass = external</div><div> rpc_server:lsarpc = external</div><div> rpc_server:epmapper = external</div><div> ldapsam:trusted = yes</div><div> idmap config * : backend = tdb</div></div><div><br></div><div><b>User Not Working:</b></div><div><div> dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp</div><div> uid: test</div><div> sn: test</div><div> cn: test</div><div> mail: <a href="mailto:test@test.com" target="_blank">test@test.com</a></div><div> nsaccountlock: False</div><div> has_password: True</div><div> has_keytab: True</div><div> dialupAccess: yes</div><div> displayName: test test</div><div> emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw==</div><div> gidNumber: 107001365</div><div> givenName: test</div><div> homeDirectory: /home/test</div><div> ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355</div><div> ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7</div><div> krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA=</div><div> krbLastFailedAuth: 20141028151647Z</div><div> krbLastPwdChange: 20141028152120Z</div><div> krbLastSuccessfulAuth: 20141028152012Z</div><div> krbLoginFailedCount: 0</div><div> krbPasswordExpiration: 20150122152120Z</div><div> krbPrincipalName: test@ATTASK.CORP</div><div> krbTicketFlags: 128</div><div> loginShell: /sbin/nologin</div><div> memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp</div><div> memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp</div><div> memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp</div><div> objectClass: krbticketpolicyaux</div><div> objectClass: ipaobject</div><div> objectClass: organizationalperson</div><div> objectClass: top</div><div> objectClass: customPersonAttributes</div><div> objectClass: ipasshuser</div><div> objectClass: inetorgperson</div><div> objectClass: sambaSamAccount</div><div> objectClass: person</div><div> objectClass: inetuser</div><div> objectClass: krbprincipalaux</div><div> objectClass: radiusProfile</div><div> objectClass: posixaccount</div><div> objectClass: ipaSshGroupOfPubKeys</div><div> objectClass: ipantuserattrs</div><div> radiusTunnelMediumType: IEEE-802</div><div> radiusTunnelPrivateGroupId: 1424</div><div> radiusTunnelType: VLAN</div><div> sambaPwdLastSet: 0</div><div> sambaSID: S-1-5-21-1103557689-1565082434-1264062975-5622</div><div> uidNumber: 107001355</div></div><div><b><br></b></div></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div></div>