[Freeipa-users] Re: ipa-user backend for samba

Konstantin Kozlov kozlov at spbcas.ru
Fri Mar 20 09:12:39 UTC 2009 

Hi,

mahen wrote:
> Hi,
> well these are the steps.... 
> 
> 1. ipaserver as server
> 2. sambaserver + ipaclient as smbserver
> 3. winXP ipa-client as ipa-client
> 
> In IPA-Server:
> ipa-addservice cifs/sambaserver.example.com
> 
> In SambaServer:
> kinit admin at EXAMPLE.COM
> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com
> -k /etc/krb5.keytab
> 
> The two key paramters of smb.conf related to kerberos are
> realm = EXAMPLE.COM
> use kerberos keytab = yes.
> 
> SAMBASERVER WORKS FINE AS AN IPA-CLIENT.
> 
What happens when you log into ipaserver as ipauser and try smbclient?
What happens when you log into ipaclient as ipauser and try smbclient?

Kostya

> 
> Please let me know if i have missed out any configuration.
> 
> Thanks.
> mahendra
> 
> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote:
>> Hi,
>>
>> it works for me.
>>
>> mahen wrote:
>>> Hi,
>>> Can I use IPA users as backend for samba i.e. can I access samba share
>>> from windows system (XP) using ipa user authentication.
>>>
>> I am using it that way.
>>
>>> My settings are exactly the way it has been specified in the given
>>> document.
>>> http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
>>>
>>> I think "passdb" parameter of smb.conf should point to IPA user database
>>> but don't know how to do that.
>>>
>> Well, samba is looking in Kerberos that is looking in LDAP, so my 
>> understanding is that 'passdb' is not used.
>>
>>> currently it is pointing to smbpasswd as per the above document. 
>>> With the current setup, I can access samba shares with smbclient -L
>>> sambaserver.example.com command.
>>>
>> Under ipa-user? What kerberos ticket do you have in that case? From what 
>> machine?
>>
>>> But smbclient -k -L sambaserver.example.com gives me error.
>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>>> session setup failed: NT_STATUS_LOGON_FAILURE"
>>>
>> Well I am not very good specialist in samba but I think you must check 
>> the following:
>>
>> 1. firewalls
>> 2. time sync
>> 3. kerberos tickets
>> 4. increase samba logging and look in samba logs
>> 5. do you have a coorect principal in ipa?
>>
>> regards,
>>
>> Kostya
>>
>>> please help.
>>>
>>> Thanks....
>>> Mahendra
>>>
>>>
>>
> 
> 


-- 
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.

Tel./fax: +7 812 596 2831

More information about the Freeipa-users mailing list