[Freeipa-devel] freeipa and samba

Simo Sorce ssorce at redhat.com
Mon Feb 11 19:24:11 UTC 2008 

On Mon, 2008-02-11 at 11:14 -0800, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Sun, 2008-02-10 at 20:46 +0100, Thomas Sailer wrote:
> >> On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote:
> >>
> >>> Yes, in IPA v1.0 the concept of machine accounts still do not exist.
> >>> For samba anyway, machine accounts are just user accounts and must be
> >>> available via nss calls, so at all effects what you need for now is just
> >>> regular user accounts named after the machine name.
> >> Well, machines normally live under ou=Computers, not ou=People. I think
> >> I'll stay with smbldap-tools, until IPA has the machine account concept.
> > 
> > In IPA we already have the cn=Computers container, and for users we have
> > CN=Users. It's just that we do not have any tool to populate the
> > cn=Computers container yet.
> > 
> >>> No they are more advanced tools to tweak an installation, you shouldn't
> >>> need to use them for day to day operations though.
> >> True wrt. the configuration dialogs, but the user/group editing GUI does
> >> not seem to be usable for IPA, as it isn't able to add sambaSam and krb
> >> stuff.
> > 
> > Yes, to manage users you should use the IPA WebUI or CLI tools.
> > 
> >> I have some problems with accessing the IPA gui. It works with curl, but
> >> I couldn't get neither firefox on F8, nor IE and firefox on XP to access
> >> the gui. They seem to do SPNEGO, but the ticket does not seem to be
> >> delegatable. What exact browser / krb5 library versions are you using on
> >> the client?
> > 
> > It should work fine with Firefox on any Fedora/RedHat box (and probably,
> > but not tested just any other recent Linux distro).
> > 
> > When you connect to the server, if Firefox is not correctly configured,
> > you should be presented with a page that will configure Firefox for you
> > if you allow it to mess with your browser configuration (security
> > warning dialogs and all).
> > 
> > To make it work you need anyway to kinit admin at REALM on the client
> > before pointing Firefox at the Web UI or using the CLI tools.
> > 
> > Can you provide the error you get with Firefox ?
> > 
> > Simo.
> > 
> 
> And on Fedora 8 you need krb5-* >= 1.6.2-11

Oh right!
This package is still sleeping on the testing queue unfortunately, I am
pushing to have it pushed to stable asap.

To install it just do:

yum install --enablerepo=updates-testing krb5-server

This should bring in all the dependencies as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list