[Freeipa-users] Re: ipa-user backend for samba
mahen
mahendra at latticenetworks.com
Fri Mar 20 08:47:53 UTC 2009
Hi,
well these are the steps....
1. ipaserver as server
2. sambaserver + ipaclient as smbserver
3. winXP ipa-client as ipa-client
In IPA-Server:
ipa-addservice cifs/sambaserver.example.com
In SambaServer:
kinit admin at EXAMPLE.COM
ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com
-k /etc/krb5.keytab
The two key paramters of smb.conf related to kerberos are
realm = EXAMPLE.COM
use kerberos keytab = yes.
SAMBASERVER WORKS FINE AS AN IPA-CLIENT.
Please let me know if i have missed out any configuration.
Thanks.
mahendra
On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote:
> Hi,
>
> it works for me.
>
> mahen wrote:
> > Hi,
> > Can I use IPA users as backend for samba i.e. can I access samba share
> > from windows system (XP) using ipa user authentication.
> >
>
> I am using it that way.
>
> > My settings are exactly the way it has been specified in the given
> > document.
> > http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
> >
> > I think "passdb" parameter of smb.conf should point to IPA user database
> > but don't know how to do that.
> >
>
> Well, samba is looking in Kerberos that is looking in LDAP, so my
> understanding is that 'passdb' is not used.
>
> > currently it is pointing to smbpasswd as per the above document.
> > With the current setup, I can access samba shares with smbclient -L
> > sambaserver.example.com command.
> >
>
> Under ipa-user? What kerberos ticket do you have in that case? From what
> machine?
>
> > But smbclient -k -L sambaserver.example.com gives me error.
> > "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
> > session setup failed: NT_STATUS_LOGON_FAILURE"
> >
>
> Well I am not very good specialist in samba but I think you must check
> the following:
>
> 1. firewalls
> 2. time sync
> 3. kerberos tickets
> 4. increase samba logging and look in samba logs
> 5. do you have a coorect principal in ipa?
>
> regards,
>
> Kostya
>
> > please help.
> >
> > Thanks....
> > Mahendra
> >
> >
>
>
More information about the Freeipa-users
mailing list