[Freeipa-devel] freeipa and samba

Simo Sorce ssorce at redhat.com
Wed Feb 6 20:25:14 UTC 2008 

On Wed, 2008-02-06 at 03:19 +0100, Thomas Sailer wrote:
> I've just installed freeipa on an up-to-date Fedora 8 machine. I used
> the current rawhide ipa srpm and recompiled it on F8.
> 
> The biggest problem was that kerberos credentials passing in
> mod_auth_kerb does not work with krb5-libs-1.6.2-9.fc8. I recompiled and
> installed the rawhide krb5-1.6.3-4.fc9.src.rpm on F8, now it works. This
> might be worth an addition to the troubleshooting guide, it took me
> quite some time to figure this out.

It may be worth to raise a bug against krb5 in F8 so that the proper fix
can be release there. Do you feel like doing that?

> Now how am I supposed to configure samba? I can make samba authenticate
> against LDAP just fine. But what should samba do on user add? password
> change?

On user add it should call the ipa tools to add a user entry. To do
that, right now, the only way is to create an administrative user
account and then retrieve a keytab for it (this will reset the account
password and store it in the keytab).
A script will kinit using such keytab and call the appropriate tool with
the correct switches.
We plan to do some more integration work with samba, but right now that
work has to be done manually.

To change password you should use the following configuration option:
ldap passwd sync = only

This will make samba only do a password change using the password extop
and let the server create all the necessary hashes (including LM and NT
hashes).
This may require some ACI tweaking and using an SSL connection to FDS.

> The ipa-* scripts currently do not provide a way to create a machine
> account.

Yes, in IPA v1.0 the concept of machine accounts still do not exist.
For samba anyway, machine accounts are just user accounts and must be
available via nss calls, so at all effects what you need for now is just
regular user accounts named after the machine name.

> smbldap-tools scripts basically work, but do not add the kerberos
> principal when creating new accounts, which causes subsequent password
> changes to fail until the principal is added manually.

True.

> What is the strategy with idm-console and dirsrv-admin? Are they
> intended to be totally superseded by the ipa command line tools and the
> web gui?

No they are more advanced tools to tweak an installation, you shouldn't
need to use them for day to day operations though.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list