<html><body><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000"><div>Same result...<br></div><div><br data-mce-bogus="1"></div><div>ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th ipaNTHash<br>Enter LDAP Password: <br># extended LDIF<br>#<br># LDAPv3<br># base <dc=casalogic,dc=lan> (default) with scope subtree<br># filter: uid=th<br># requesting: ipaNTHash <br>#<br><br># th, users, compat, casalogic.lan<br>dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan<br><br># th, users, accounts, casalogic.lan<br>dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan<br><br># search result<br>search: 2<br>result: 0 Success<br><br># numResponses: 3<br># numEntries: 2<br></div><div><br></div><div><span id="zwchr" data-marker="__DIVIDER__">----- On Oct 29, 2015, at 7:45 PM, Joshua Doll <joshua.doll@gmail.com> wrote:<br></span></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><div dir="ltr"><div>What about as directory manager?<br><br></div>--Joshua D Doll<br><div><div><br><div class="gmail_quote"><div dir="ltr">On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen <<a href="mailto:th@casalogic.dk" target="_blank" data-mce-href="mailto:th@casalogic.dk">th@casalogic.dk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div>I should think so:<br></div><br><div>On IPA server.<br></div><br><div>ipa role-show 'CIFS server'<br>  Role name: CIFS server<br>  Privileges: CIFS server privilege<br>  Member services: cifs/tinkerbell.casalogic.lan@CASALOGIC.LAN</div><br><div>ipa privilege-show 'CIFS server privilege'<br>  Privilege name: CIFS server privilege<br>  Permissions: CIFS test, CIFS server can read user passwords<br>  Granting privilege to roles: CIFS server</div><br><div>ipa permission-show 'CIFS server can read user passwords'<br>  Permission name: CIFS server can read user passwords<br>  Granted rights: read, search, compare<br>  Effective attributes: ipaNTHash, ipaNTSecurityIdentifier<br>  Bind rule type: permission<br>  Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan<br>  Type: user<br>  Granted to Privilege: CIFS server privilege<br>  Indirect Member of roles: CIFS server</div><br><div>ipa-getkeytab -s kenai.casalogic.lan -p cifs/tinkerbell.casalogic.lan@CASALOGIC.LAN -k /tmp/samba.keytab</div><br><div>samba.keytab copied to samba server.<br></div><br><div>on samba server (tinkerbell):<br></div><div>kdestroy -A</div><div>kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan</div><div>ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash</div><br><div>SASL/GSSAPI authentication started<br>SASL username: cifs/tinkerbell.casalogic.lan@CASALOGIC.LAN<br>SASL SSF: 56<br>SASL data security layer installed.<br># extended LDIF<br>#<br># LDAPv3<br># base <dc=casalogic,dc=lan> (default) with scope subtree<br># filter: uid=th<br># requesting: ipaNTHash <br>#</div></div></div></div></div><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div><br><br># th, users, compat, casalogic.lan<br>dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan<br><br># th, users, accounts, casalogic.lan<br>dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan<br><br></div></div></div></div></div><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div># search result<br>search: 4<br>result: 0 Success<br><br># numResponses: 3<br># numEntries: 2</div></div></div></div></div><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><br><br><br><div><span>----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <<a href="mailto:joshua.doll@gmail.com" target="_blank" data-mce-href="mailto:joshua.doll@gmail.com">joshua.doll@gmail.com</a>> wrote:<br></span></div><div><blockquote style="border-left: 2px solid #1010ff; margin-left: 5px; padding-left: 5px; color: #000000; font-weight: normal; font-style: normal; text-decoration: none; font-family: helvetica,arial,sans-serif; font-size: 12pt;" data-mce-style="border-left: 2px solid #1010ff; margin-left: 5px; padding-left: 5px; color: #000000; font-weight: normal; font-style: normal; text-decoration: none; font-family: helvetica,arial,sans-serif; font-size: 12pt;"><div dir="ltr"><div>Are you using the correct principal for the ldapsearch? Did you grant it permissions to view those attributes?<br></div>--Joshua D Doll<br><div><div class="gmail_quote"><div dir="ltr">On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen <<a href="mailto:th@casalogic.dk" target="_blank" data-mce-href="mailto:th@casalogic.dk">th@casalogic.dk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;" data-mce-style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div>Hmm, weird.<br></div><div>I ran ipa-adtrust-install and it says it said it had user without SID's, and I told it to generete SID's.</div><div>However, I still can't see them on the user.</div><div>a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.</div><br><div>ldapsearch -Y GSSAPI uid=th ipaNTHash<br>.......<br># th, users, compat, casalogic.lan<br>dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan<br><br># th, users, accounts, casalogic.lan<br>dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan<br><br>.....<br></div><br><div>Samba however starts fine now, but unable to find any users:</div><div>pdbedit -Lv<br>pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain casalogic.lan</div></div></div><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><br><br><br><div><span>----- On Oct 27, 2015, at 3:46 PM, Joshua Doll <<a href="mailto:joshua.doll@gmail.com" target="_blank" data-mce-href="mailto:joshua.doll@gmail.com">joshua.doll@gmail.com</a>> wrote:<br></span></div><div><blockquote style="border-left: 2px solid #1010ff; margin-left: 5px; padding-left: 5px; color: #000000; font-weight: normal; font-style: normal; text-decoration: none; font-family: helvetica,arial,sans-serif; font-size: 12pt;" data-mce-style="border-left: 2px solid #1010ff; margin-left: 5px; padding-left: 5px; color: #000000; font-weight: normal; font-style: normal; text-decoration: none; font-family: helvetica,arial,sans-serif; font-size: 12pt;"><div dir="ltr"><div class="gmail_quote"><br><div><br><div>To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the ipa-adtrust-install --add-sids, even though I was not setting up a trust. It would be nice if there was a way to generate these values another way, maybe there is but I missed it.<br><br></div>--Joshua D Doll<br> </div></div></div><br>-- <br>Manage your subscription for the Freeipa-users mailing list:<br><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" data-mce-href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>Go to <a href="http://freeipa.org" target="_blank" data-mce-href="http://freeipa.org">http://freeipa.org</a> for more info on the project<br></blockquote></div><br><br></div></div>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank" data-mce-href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank" data-mce-href="http://freeipa.org">http://freeipa.org</a> for more info on the project</blockquote></div></div></div><br>-- <br>Manage your subscription for the Freeipa-users mailing list:<br><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" data-mce-href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>Go to <a href="http://freeipa.org" target="_blank" data-mce-href="http://freeipa.org">http://freeipa.org</a> for more info on the project<br></blockquote></div><br><div>-- <br></div></div></div></div></div><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000;"><div><p style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">Med venlig hilsen</p><p style="margin: 10px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 14px;" data-mce-style="margin: 10px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 14px;"><b>Troels Hansen</b></p><p style="margin: 3px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;" data-mce-style="margin: 3px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">Systemkonsulent</p><p style="margin: 4px 2px 0px 0px; font-family: arial,verdana,sans-serif; color: #4c4c4c; font-size: 14px; font-weight: bold;" data-mce-style="margin: 4px 2px 0px 0px; font-family: arial,verdana,sans-serif; color: #4c4c4c; font-size: 14px; font-weight: bold;">Casalogic A/S</p><div><img src="http://www.casalogic.dk/signatur/casalogic_green_spacer_line.png" border="0"></div><p style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">T  (+45) 70 20 10 63</p><p style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">M (+45) 22 43 71 57</p><div><a title="Download vCard" href="http://www.casalogic.dk/signatur/th.vcf" target="_blank" data-mce-href="http://www.casalogic.dk/signatur/th.vcf"><img src="http://www.casalogic.dk/signatur/vcard_download_small.png" border="0"></a> <a title="Follow us on LinkedIn" href="http://www.linkedin.com/company/67524" target="_blank" data-mce-href="http://www.linkedin.com/company/67524"><img src="http://www.casalogic.dk/signatur/linkedin_logo_20x20.png" border="0"></a> <a title="Follow us on Twitter" href="http://twitter.com/casalogic" target="_blank" data-mce-href="http://twitter.com/casalogic"><img src="http://www.casalogic.dk/signatur/twitter_logo_20x20.png" border="0"></a><br></div><div>Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.<br></div></div></div></div></div></div></blockquote></div></div></div></div><br>-- <br>Manage your subscription for the Freeipa-users mailing list:<br>https://www.redhat.com/mailman/listinfo/freeipa-users<br>Go to http://freeipa.org for more info on the project<br></blockquote></div><div><br></div><div data-marker="__SIG_POST__">-- <br></div><div><p style="MARGIN: 5px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">Med venlig hilsen</p><p style="MARGIN: 10px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 14px" data-mce-style="margin: 10px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 14px;"><b>Troels Hansen</b></p><p style="MARGIN: 3px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 3px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">Systemkonsulent</p><p style="MARGIN: 4px 2px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; COLOR: #4c4c4c; FONT-SIZE: 14px; FONT-WEIGHT: bold" data-mce-style="margin: 4px 2px 0px 0px; font-family: arial,verdana,sans-serif; color: #4c4c4c; font-size: 14px; font-weight: bold;">Casalogic A/S</p><div><img src="http://www.casalogic.dk/signatur/casalogic_green_spacer_line.png" data-mce-src="http://www.casalogic.dk/signatur/casalogic_green_spacer_line.png" border="0"></div><p style="MARGIN: 5px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">T  (+45) 70 20 10 63</p><p style="MARGIN: 5px 0px 0px; FONT-FAMILY: arial,verdana,sans-serif; FONT-SIZE: 12px" data-mce-style="margin: 5px 0px 0px; font-family: arial,verdana,sans-serif; font-size: 12px;">M (+45) 22 43 71 57</p><div><a title="Download vCard" href="http://www.casalogic.dk/signatur/th.vcf" data-mce-href="http://www.casalogic.dk/signatur/th.vcf"><img src="http://www.casalogic.dk/signatur/vcard_download_small.png" data-mce-src="http://www.casalogic.dk/signatur/vcard_download_small.png" border="0"></a> <a title="Follow us on LinkedIn" href="http://www.linkedin.com/company/67524" data-mce-href="http://www.linkedin.com/company/67524"><img src="http://www.casalogic.dk/signatur/linkedin_logo_20x20.png" data-mce-src="http://www.casalogic.dk/signatur/linkedin_logo_20x20.png" border="0"></a> <a title="Follow us on Twitter" href="http://twitter.com/casalogic" data-mce-href="http://twitter.com/casalogic"><img src="http://www.casalogic.dk/signatur/twitter_logo_20x20.png" data-mce-src="http://www.casalogic.dk/signatur/twitter_logo_20x20.png" border="0"></a><br></div><div>Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.<br></div></div></div></body></html>