<div dir="ltr">Hi Matt<div> <div>- CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way.</div><div>- Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless)</div></div><div> </div><div>This config may work on your CentOS (for the ipasam way):</div><div>workgroup = TEST</div><div>realm = <a href="http://TEST.NET" target="_blank">TEST.NET</a></div><div>kerberos method = dedicated keytab</div><div>dedicated keytab file = FILE:/<.....>/samba.keytab</div><div>create krb5 conf = no</div><div>security = user</div><div>encrypt passwords = true</div><div>passdb backend = ipasam:ldaps://<a href="http://youripa.test.net" target="_blank">youripa.test.net</a></div><div>ldapsam:trusted = yes</div><div>ldapsuffix = <a href="http://test.net" target="_blank">test.net</a></div><div>ldap user suffix = cn=users,cn=accounts</div><div>ldap group suffix = cn=groups,cn=accounts </div><div> </div><div class="gmail_extra"> <div><div><div><div>--</div><div>Youenn Piolet</div><div><a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a></div><div style="font-size:large"><div> </div></div></div></div></div> <div class="gmail_quote">2015-08-12 22:15 GMT+02:00 Matt . <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, OK the default IPA way works great actually when testing it as described here: <a href="http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA</a> On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt <div><div> 2015-08-12 19:00 GMT+02:00 Matt . <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>>: > HI GUys, > > I'm testing this out and I think I almost setup, this on a CentOS samba server. > > I'm using the ipa-adtrust way of Youeen but it seems we still need to > add (objectclass=sambaSamAccount)) ? > > Info is welcome! > > I will report back when I have it working. > > Thanks! > > Matt > > 2015-08-10 11:16 GMT+02:00 Christopher Lamb <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >> The next route I will try - is the one Youeen took, using ipa-adtrust >> >> >> >> From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >> To: Christopher Lamb/Switzerland/IBM@IBMCH, >> "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >> Date: 10.08.2015 10:03 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> Okay this is good to hear. >> >> But don't we want a IPA managed Scheme ? >> >> When I did a "ipa-adtrust-install --add-sids" it also wanted a local >> installed Samba and I wonder why. >> >> Good that we make some progres on making it all clear. >> >> Cheers, >> >> Matt >> >> 2015-08-10 6:12 GMT+02:00 Christopher Lamb <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>> ldapsam + the samba extensions, pretty much as described in the >> Techslaves >>> article. Once I have a draft for the wiki page, I will mail you. >>> >>> >>> >>> From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>> To: Christopher Lamb/Switzerland/IBM@IBMCH, >>> "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>> Date: <a href="tel:09.08.2015%2021" value="+33908201521" target="_blank">09.08.2015 21</a>:17 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi, >>> >>> Yes I know about "anything" but which way did you use now ? >>> >>> >>> >>> 2015-08-09 20:56 GMT+02:00 Christopher Lamb >> <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>>> Hi Matt >>>> >>>> I am on OEL 7.1. - so anything that works on that should be good for >> RHEL >>>> and Centos 7.x >>>> >>>> I intend to add a how-to to the FreeIPA Wiki over the next few days. As >>> we >>>> have suggested earlier, we will likely end up with several, one for each >>> of >>>> the possible integration paths. >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>> To: Christopher Lamb/Switzerland/IBM@IBMCH, >>>> "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>> Date: <a href="tel:09.08.2015%2016" value="+33908201516" target="_blank">09.08.2015 16</a>:45 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>>> >>>> >>>> >>>> Hi Chris, >>>> >>>> This sounds great! >>>> >>>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>>> >>>> Maybe it's good to explain which way you used now in steps too, so we >>>> can combine or create multiple howto's ? >>>> >>>> At least we are going somewhere! >>>> >>>> Thanks, >>>> >>>> Matt >>>> >>>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >>> <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>>>> Hi Matt >>>>> >>>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >>> Samba >>>>> Schema extensions) is up and working, almost flawlessly. >>>>> >>>>> I can add users and groups via the FreeIPA CLI, and they get the >> correct >>>>> ObjectClasses / attributes required for Samba. >>>>> >>>>> So far I have not yet bothered to try the extensions to the WebUI, >>>> because >>>>> it is currently giving me the classic "Your session has expired. Please >>>>> re-login." error which renders the WebUI useless. >>>>> >>>>> The only problem I have so far encountered managing Samba / FreeIPA >>> users >>>>> via FreeIPA CLI commands is with the handling of the attribute >>>>> sambaPwdLastSet. This is the subject of an existing thread, also >> updated >>>>> today. >>>>> >>>>> There is also an existing alternative to hacking group.py, using "Class >>>> of >>>>> Service" (Cos) documented in this thread from February 2015 >>>>> >>> <a href="https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html</a> >>>> . >>>>> I have not yet tried it, but it sounds reasonable. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>> To: Christopher Lamb/Switzerland/IBM@IBMCH >>>>> Cc: "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>>, Youenn >>>>> PIOLET <<a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a>> >>>>> Date: <a href="tel:06.08.2015%2016" value="+33608201516" target="_blank">06.08.2015 16</a>:19 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> >>>>> >>>>> >>>>> Hi Chris, >>>>> >>>>> OK, than we might create two different versions of the wiki, I think >>>>> this is nice. >>>>> >>>>> I'm still figuring out why I get that: >>>>> >>>>> IPA Error 4205: ObjectclassViolation >>>>> >>>>> missing attribute "sambaGroupType" required by object class >>>>> "sambaGroupMapping" >>>>> >>>>> Matt >>>>> >>>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>>> <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>>>>> Hi Matt >>>>>> >>>>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>>>> integration paths. >>>>>> >>>>>> The route I took is suited where there is no Active Directory >> involved: >>>>> In >>>>>> my case all the Windows, OSX and Linux clients are islands that sit on >>>>> the >>>>>> same network. >>>>>> >>>>>> The route that Youenn has taken (unless I have got completely the >> wrong >>>>> end >>>>>> of the stick) requires Active Directory in the architecture. >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>>> To: Youenn PIOLET <<a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a>> >>>>>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>>>>> "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>>>> Date: <a href="tel:06.08.2015%2014" value="+33608201514" target="_blank">06.08.2015 14</a>:42 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> OK, this sounds already quite logical, but I'm still refering to the >>>>>> old howto we found earlier, does that one still apply somewhere or not >>>>>> at all ? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Matt >>>>>> >>>>>> >>>>>> >>>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET <<a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a>>: >>>>>>> Hey guys, >>>>>>> >>>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>>>> days :) >>>>>>> >>>>>>> General idea: >>>>>>> >>>>>>> On FreeIPA (4.1) >>>>>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>>>>>> attribude, also known as SID) >>>>>>> - regenerate each user password to build ipaNTHash attribute, not >> here >>>>> by >>>>>>> default on users >>>>>>> - use your ldap browser to check ipaNTHash values are here on user >>>>>> objects >>>>>>> - create a CIFS service for your samba server >>>>>>> - Create user roles/permissions as described here: >>>>>>> >>>>>> >>>>> >>>> >>> >> <a href="http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa" rel="noreferrer" target="_blank">http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa</a> >> >>> >>>> >>>>> >>>>>> >>>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>>>>>> ipaNTHash attributes in LDAP (ACI) >>>>>>> - SCP ipasam.so module to your cifs server (this is the magic >> trick) : >>>>>> scp >>>>>>> /usr/lib64/samba/pdb/ipasam.so >>>>>>> root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to >>>>>> recompile >>>>>>> it. >>>>>>> >>>>>>> On SAMBA Server side (CentOS 7...) >>>>>>> - Install server keytab file for CIFS >>>>>>> - check ipasam.so is here. >>>>>>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>>>>>> uid=admin ipaNTHash` thanks to kerberos >>>>>>> - make your smb.conf following the linked thread and restart service >>>>>>> >>>>>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly >>> and >>>>>>> ipasam may use quite recent functionalities, the best is to just try. >>>>> You >>>>>>> can read in previous thread : "If you insist on Ubuntu you need to >> get >>>>>>> ipasam somewhere, most likely to compile it yourself". >>>>>>> >>>>>>> Make sure your user has ipaNTHash attribute :) >>>>>>> >>>>>>> You may want to debug authentication on samba server, I usually do >>>> this: >>>>>>> `tail -f /var/log/samba/log* | grep <username> >>>>>>> >>>>>>> Cheers >>>>>>> -- >>>>>>> Youenn Piolet >>>>>>> <a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a> >>>>>>> >>>>>>> >>>>>>> 2015-08-05 17:40 GMT+02:00 Matt . <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>>: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> This sounds great to me too, but a howto would help to make it more >>>>>>>> clear about what you have done here. The thread confuses me a little >>>>>>>> bit. >>>>>>>> >>>>>>>> Can you paste your commands so we can test out too and report back ? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>>>> <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>>>>>>> > Hi Youenn >>>>>>>> > >>>>>>>> > Good news that you have got an integration working >>>>>>>> > >>>>>>>> > Now you have got it going, and the solution is fresh in your mind, >>>>> how >>>>>>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>>>>>> > >>>>>>>> > Chris >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > From: Youenn PIOLET <<a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a>> >>>>>>>> > To: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>>>>> > Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>>>>>>> > "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>>>>>> > Date: <a href="tel:05.08.2015%2014" value="+33508201514" target="_blank">05.08.2015 14</a>:51 >>>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>> against >>>>>> IPA >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Hi guys, >>>>>>>> > >>>>>>>> > Thank you so much your previous answers. >>>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks >> to >>>>>>>> > ipa-adtrust-install --add-sids >>>>>>>> > >>>>>>>> > I found an other way to configure smb here: >>>>>>>> > >>>>>>>> > >>>>>> >>>>> >>>> >>> >> <a href="http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa" rel="noreferrer" target="_blank">http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa</a> >> >>> >>>> >>>>> >>>>>> >>>>>>>> > It works perfectly. >>>>>>>> > >>>>>>>> > I'm using module ipasam.so I have manually scp to the samba >> server, >>>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>>>>>> > Following the instructions, I created a user role allowing service >>>>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>>>> > ipaNTHash are generated each time a user changes his password. >>>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>>>> > >>>>>>>> > For more details, the previously linked thread is quite clear. >>>>>>>> > >>>>>>>> > Cheers >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Youenn Piolet >>>>>>>> > <a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a> >>>>>>>> > >>>>>>>> > >>>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>>: >>>>>>>> > Hi Chris. >>>>>>>> > >>>>>>>> > Yes, Apache Studio did that but I was not sure why it complained >>>> it >>>>>>>> > was "already" there. >>>>>>>> > >>>>>>>> > I'm still getting: >>>>>>>> > >>>>>>>> > IPA Error 4205: ObjectclassViolation >>>>>>>> > >>>>>>>> > missing attribute "sambaGroupType" required by object class >>>>>>>> > "sambaGroupMapping" >>>>>>>> > >>>>>>>> > When adding a user. >>>>>>>> > >>>>>>>> > I also see "class" as fielname under my "Last name", this is not >>>> OK >>>>>>>> > also. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > We sure need to make some howto, I think we can nail this >> down :) >>>>>>>> > >>>>>>>> > Thanks for the heads up! >>>>>>>> > >>>>>>>> > Matthijs >>>>>>>> > >>>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>>>> > <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>>>>>>> > > Hi Matt >>>>>>>> > > >>>>>>>> > > If I use Apache Directory Studio to add an attribute >>>>>> ipaCustomFields >>>>>>>> > to >>>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >>>>>> shown >>>>>>>> > below: >>>>>>>> > > >>>>>>>> > > #!RESULT OK >>>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>>> > > changetype: modify >>>>>>>> > > add: ipaCustomFields >>>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>>>> > > >>>>>>>> > > After that I then have a visible attribute ipaCustomFields as >>>>>>>> > expected. >>>>>>>> > > >>>>>>>> > > When adding the attribute, the wizard offered me >>>>> "ipaCustomFields" >>>>>>>> > as >>>>>>>> > > attribute type in a drop down list. >>>>>>>> > > >>>>>>>> > > Once we get this cracked, we really must write a how-to on the >>>>>>>> > FreeIPA >>>>>>>> > > Wiki. >>>>>>>> > > >>>>>>>> > > Chris >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > From: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>>> > > To: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>>>>> > > Cc: "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>>>>>> > > Date: <a href="tel:05.08.2015%2007" value="+33508201507" target="_blank">05.08.2015 07</a>:31 >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>> against >>>>>>>> > IPA >>>>>>>> > > Sent by: <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > Hi Matt >>>>>>>> > > >>>>>>>> > > I also got the same result at that step, but can see nothing >> in >>>>>>>> > Apache >>>>>>>> > > Directory Studio. >>>>>>>> > > >>>>>>>> > > As I am using existing Samba / FreeIPA groups migrated across, >>>>>> they >>>>>>>> > > probably were migrated with all the required attributes. >>>>>>>> > > >>>>>>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>>>>>> > > >>>>>>>> > > ldapmodify -Y GSSAPI <<EOF >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>>> > > changetype: modify >>>>>>>> > > add: ipaCustomFields >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> > > EOF >>>>>>>> > > >>>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>>>> > > >>>>>>>> > > I don't want to play around with my prod directory - I will >>>> setup >>>>>> an >>>>>>>> > EL >>>>>>>> > 7.1 >>>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >>>>>> play >>>>>>>> > around >>>>>>>> > > more destructively. >>>>>>>> > > >>>>>>>> > > Chris >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>>>>> > > To: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>>> > > Cc: Youenn PIOLET <<a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a>>, " >>>>>>>> > <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" >>>>>>>> > > <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>>>>>> > > Date: <a href="tel:05.08.2015%2001" value="+33508201501" target="_blank">05.08.2015 01</a>:01 >>>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >>> Server >>>>>>>> > Auth >>>>>>>> > against IPA >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > Hi Chris, >>>>>>>> > > >>>>>>>> > > I'm at the right path, but my issue is that: >>>>>>>> > > >>>>>>>> > > ldapmodify -Y GSSAPI <<EOF >>>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>>> > > changetype: add >>>>>>>> > > add: ipaCustomFields >>>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> > > EOF >>>>>>>> > > >>>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and when >>> I >>>>>> add >>>>>>>> > > it manually as an attribute it still fails when I add a user >> on >>>>>> this >>>>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>>>> > > >>>>>>>> > > So that is my issue I think so far. >>>>>>>> > > >>>>>>>> > > Any clue about that ? >>>>>>>> > > >>>>>>>> > > No problem "you don't know something or are no guru" we are >> all >>>>>>>> > > learning! :) >>>>>>>> > > >>>>>>>> > > Cheers, >>>>>>>> > > >>>>>>>> > > Matt >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>>>> > <a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>>>>>>> > >> Hi Matt, Youeen >>>>>>>> > >> >>>>>>>> > >> Just to set the background properly, I did not invent this >>>>>> process. >>>>>>>> > I >>>>>>>> > > know >>>>>>>> > >> only a little about FreeIPA, and almost nothing about Samba, >>>> but >>>>>> I >>>>>>>> > guess >>>>>>>> > > I >>>>>>>> > >> was lucky enough to get the integration working on a Sunday >>>>>>>> > afternoon. >>>>>>>> > (I >>>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>>>>>> > reference). >>>>>>>> > >> >>>>>>>> > >> It sounds like we need to step back, and look at the test >> user >>>>>> and >>>>>>>> > group >>>>>>>> > > in >>>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes >> this >>>>>> much >>>>>>>> > > easier. >>>>>>>> > >> >>>>>>>> > >> My FreeIPA / Samba Users have the following Samba extensions >>> in >>>>>>>> > FreeIPA >>>>>>>> > >> (cn=accounts, cn=users): >>>>>>>> > >> >>>>>>>> > >> * objectClass: sambasamaccount >>>>>>>> > >> >>>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>>>>>> > >> >>>>>>>> > >> My FreeIPA / Samba Groups have the following Samba extensions >>>> in >>>>>>>> > FreeIPA >>>>>>>> > >> (cn=accounts, cn=groups): >>>>>>>> > >> >>>>>>>> > >> * objectClass: sambaGroupMapping >>>>>>>> > >> >>>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>>>> > >> >>>>>>>> > >> The Users must belong to one or more of the samba groups that >>>>> you >>>>>>>> > have >>>>>>>> > >> setup. >>>>>>>> > >> >>>>>>>> > >> If you don't have something similar to the above (which >> sounds >>>>>> like >>>>>>>> > it >>>>>>>> > is >>>>>>>> > >> the case), then something went wrong applying the extensions. >>>> It >>>>>>>> > would >>>>>>>> > be >>>>>>>> > >> worth testing comparing a new user / group created post >> adding >>>>>> the >>>>>>>> > >> extensions to a previous existing user. >>>>>>>> > >> >>>>>>>> > >> i.e. >>>>>>>> > >> are the extensions missing on existing users / groups? >>>>>>>> > >> are the extensions missing on new users / groups? >>>>>>>> > >> >>>>>>>> > >> Cheers >>>>>>>> > >> >>>>>>>> > >> Chris >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> From: Youenn PIOLET <<a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a>> >>>>>>>> > >> To: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>>>>>>> > >> "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" >>>>> <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>>>>>> > >> Date: <a href="tel:04.08.2015%2018" value="+33408201518" target="_blank">04.08.2015 18</a>:56 >>>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>>>> > against >>>>>>>> > IPA >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> Hi there, >>>>>>>> > >> >>>>>>>> > >> I have difficulties to follow you at this point :) >>>>>>>> > >> Here is what I've done and what I've understood: >>>>>>>> > >> >>>>>>>> > >> ## SMB Side >>>>>>>> > >> - Testparm OK >>>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>>>> connect. >>>>>>>> > >> - pdbedit -Lv output is all successfull but I can see there >> is >>>> a >>>>>>>> > filter : >>>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >>>> don't >>>>>>>> > have >>>>>>>> > >> sambaSamAccount. >>>>>>>> > >> >>>>>>>> > >> ## LDAP / FreeIPA side >>>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>>>>>> > FreeIPA >>>>>>>> > >> server to get samba LDAP extensions. >>>>>>>> > >> - I can see samba classes exist in LDAP but are not used on >> my >>>>>>>> > group >>>>>>>> > >> objects nor my user objects >>>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>>>>>> > >> and sambaGroupMapping to default group classes. In that state >>> I >>>>>>>> > can't >>>>>>>> > >> create user nor groups anymore, as new samba attributes are >>>>>> needed >>>>>>>> > for >>>>>>>> > >> instantiation. >>>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>>>> > > Type,sambagrouptype,true' >>>>>>>> > >> but I don't get what it does. >>>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>>>>>> > "local" >>>>>>>> > > option >>>>>>>> > >> when creating a group in FreeIPA, supposed to set >>>> sambagrouptype >>>>>> to >>>>>>>> > 4 >>>>>>>> > or >>>>>>>> > > 2 >>>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>>>> attribute >>>>>>>> > doesn't >>>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>>>> default...) >>>>>>>> > >> >>>>>>>> > >> ## Questions >>>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >>> unix / >>>>>>>> > posix >>>>>>>> > >> instead? I guess no. >>>>>>>> > >> 1) How to generate the user/group SIDs ? They are requested >> to >>>>>> add >>>>>>>> > >> sambaSamAccount classes. >>>>>>>> > >> This article doesn't seem relevant since we don't use domain >>>>>>>> > controller >>>>>>>> > >> >>>>>>>> > > >>>>>>>> > >>>>>>>> > >>>>>> >>>>> >>>> >>> >> <a href="http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html" rel="noreferrer" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html</a> >>>>>>>> > >>>>>>>> > >> and netgetlocalsid returns an error. >>>>>>>> > >> 2) How to fix samba.js plugin? >>>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>>>> creation, >>>>>>>> > where >>>>>>>> > > can >>>>>>>> > >> I find it? >>>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not >>>>> only >>>>>>>> > Windows >>>>>>>> > >> 7? >>>>>>>> > >> >>>>>>>> > >> Thanks a lot for your previous and future answers >>>>>>>> > >> >>>>>>>> > >> -- >>>>>>>> > >> Youenn Piolet >>>>>>>> > >> <a href="mailto:piolet.y@gmail.com" target="_blank">piolet.y@gmail.com</a> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>>: >>>>>>>> > >> Hi, >>>>>>>> > >> >>>>>>>> > >> Yes, log is anonymised. >>>>>>>> > >> >>>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also >>>>> when >>>>>> I >>>>>>>> > >> change it's password it doesn't get it in ldap. >>>>>>>> > >> >>>>>>>> > >> There must be something going wrong I guess. >>>>>>>> > >> >>>>>>>> > >> Matt >>>>>>>> > >> >>>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>>>> > > <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a> >>>>>>>> > >> >: >>>>>>>> > >> > Hi Matt >>>>>>>> > >> > >>>>>>>> > >> > I assume [username] is a real username, identical to that >>>> in >>>>>>>> > the >>>>>>>> > >> FreeIPA >>>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>>>>>> > extract). >>>>>>>> > >> > >>>>>>>> > >> > You user should be a member of the appropriate samba >>> groups >>>>>>>> > that >>>>>>>> > you >>>>>>>> > >> setup >>>>>>>> > >> > in FreeIPA. >>>>>>>> > >> > >>>>>>>> > >> > You should check that the user attribute SambaPwdLastSet >>> is >>>>>> set >>>>>>>> > to >>>>>>>> > a >>>>>>>> > >> > positive value (e.g. 1). If not you get an error in the >>>>> Samba >>>>>>>> > logs >>>>>>>> > - >>>>>>>> > > I >>>>>>>> > >> > would need to play around again with a test user to find >>>> out >>>>>>>> > the >>>>>>>> > > exact >>>>>>>> > >> > error. >>>>>>>> > >> > >>>>>>>> > >> > I don't understand what you mean about syncing the users >>>>>> local, >>>>>>>> > but >>>>>>>> > > we >>>>>>>> > >> did >>>>>>>> > >> > not need to do anything like that. >>>>>>>> > >> > >>>>>>>> > >> > Chris >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>>> > >> > Cc: "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" >>>>> <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>>>>>> > >> > Date: <a href="tel:04.08.2015%2015" value="+33408201515" target="_blank">04.08.2015 15</a>:33 >>>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> Auth >>>>>>>> > against >>>>>>>> > >> IPA >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > Hi Chris, >>>>>>>> > >> > >>>>>>>> > >> > A puppet run added another passdb backend, that was >>> causing >>>>>> my >>>>>>>> > issue. >>>>>>>> > >> > >>>>>>>> > >> > What I still experience is: >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>>>> passdb. >>>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>>>>>> > >> > check_ntlm_password: Authentication for user >> [username] >>>>> -> >>>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > I also wonder if I shall still sync the users local, or >> is >>>>> it >>>>>>>> > > needed ? >>>>>>>> > >> > >>>>>>>> > >> > Thanks again, >>>>>>>> > >> > >>>>>>>> > >> > Matt >>>>>>>> > >> > >>>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>>>> > >> <a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>>: >>>>>>>> > >> >> Hi Matt >>>>>>>> > >> >> >>>>>>>> > >> >> From our smb.conf file: >>>>>>>> > >> >> >>>>>>>> > >> >> [global] >>>>>>>> > >> >> security = user >>>>>>>> > >> >> passdb backend = >>>>>>>> > ldapsam:ldap://<a href="http://xxx-ldap2.my.silly.example.com" rel="noreferrer" target="_blank">xxx-ldap2.my.silly.example.com</a> >>>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>>>> > >> >> >>>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I >> have >>>>>> not >>>>>>>> > tried >>>>>>>> > >> with >>>>>>>> > >> > a >>>>>>>> > >> >> less powerful user, but it is conceivable that a lesser >>>>> user >>>>>>>> > may >>>>>>>> > not >>>>>>>> > >> see >>>>>>>> > >> >> all the required attributes, resulting in "no such user" >>>>>>>> > errors. >>>>>>>> > >> >> >>>>>>>> > >> >> Chris >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> From: "Matt ." <<a href="mailto:yamakasi.014@gmail.com" target="_blank">yamakasi.014@gmail.com</a>> >>>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>>> > >> >> Cc: "<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>" >>>>>> <<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a>> >>>>>>>> > >> >> Date: <a href="tel:04.08.2015%2013" value="+33408201513" target="_blank">04.08.2015 13</a>:32 >>>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>>> Auth >>>>>>>> > against >>>>>>>> > >> IPA >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> Hi Chris, >>>>>>>> > >> >> >>>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now >> when >>>> I >>>>>>>> > add a >>>>>>>> > >> >> group from the GUI, great thanks! >>>>>>>> > >> >> >>>>>>>> > >> >> But do you use Directory Manager as ldap admin user or >>>> some >>>>>>>> > other >>>>>>>> > >> >> admin account ? >>>>>>>> > >> >> >>>>>>>> > >> >> I'm not sure id DM is needed and it should get that deep >>>>>> into >>>>>>>> > IPA. >>>>>>>> > >> >> Also when starting samba it cannot find "such user" as >>>> that >>>>>>>> > sounds >>>>>>>> > >> >> quite known as it has no UID. >>>>>>>> > >> >> >>>>>>>> > >> >> From your config I see you use DM, this should work ? >>>>>>>> > >> >> >>>>>>>> > >> >> Thanks! >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> >> Matt >>>>>>>> > >> >> >>>>>>>> > >> >> >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> >>>>>>>> > >> -- >>>>>>>> > >> Manage your subscription for the Freeipa-users mailing >> list: >>>>>>>> > >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>>>>>>> > >> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > >> >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > -- >>>>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>>>> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>>>>>>> > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>>>>>> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >>>>>>>> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> </div></div></blockquote></div> </div></div>