[Freeipa-users] Re: ipa-user backend for samba
Konstantin Kozlov
kozlov at spbcas.ru
Fri Mar 20 09:41:06 UTC 2009
Hi,
What's the problem then?
Kostya
mahen wrote:
> Hi,
>
> In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client)
> smbclient -k works fine.
>
> mahendra
>
> On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote:
>> Hi,
>>
>> mahen wrote:
>>> Hi,
>>> well these are the steps....
>>>
>>> 1. ipaserver as server
>>> 2. sambaserver + ipaclient as smbserver
>>> 3. winXP ipa-client as ipa-client
>>>
>>> In IPA-Server:
>>> ipa-addservice cifs/sambaserver.example.com
>>>
>>> In SambaServer:
>>> kinit admin at EXAMPLE.COM
>>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com
>>> -k /etc/krb5.keytab
>>>
>>> The two key paramters of smb.conf related to kerberos are
>>> realm = EXAMPLE.COM
>>> use kerberos keytab = yes.
>>>
>>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT.
>>>
>> What happens when you log into ipaserver as ipauser and try smbclient?
>> What happens when you log into ipaclient as ipauser and try smbclient?
>
>
>
>> Kostya
>>
>>> Please let me know if i have missed out any configuration.
>>>
>>> Thanks.
>>> mahendra
>>>
>>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote:
>>>> Hi,
>>>>
>>>> it works for me.
>>>>
>>>> mahen wrote:
>>>>> Hi,
>>>>> Can I use IPA users as backend for samba i.e. can I access samba share
>>>>> from windows system (XP) using ipa user authentication.
>>>>>
>>>> I am using it that way.
>>>>
>>>>> My settings are exactly the way it has been specified in the given
>>>>> document.
>>>>> http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
>>>>>
>>>>> I think "passdb" parameter of smb.conf should point to IPA user database
>>>>> but don't know how to do that.
>>>>>
>>>> Well, samba is looking in Kerberos that is looking in LDAP, so my
>>>> understanding is that 'passdb' is not used.
>>>>
>>>>> currently it is pointing to smbpasswd as per the above document.
>>>>> With the current setup, I can access samba shares with smbclient -L
>>>>> sambaserver.example.com command.
>>>>>
>>>> Under ipa-user? What kerberos ticket do you have in that case? From what
>>>> machine?
>>>>
>>>>> But smbclient -k -L sambaserver.example.com gives me error.
>>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>>>>> session setup failed: NT_STATUS_LOGON_FAILURE"
>>>>>
>>>> Well I am not very good specialist in samba but I think you must check
>>>> the following:
>>>>
>>>> 1. firewalls
>>>> 2. time sync
>>>> 3. kerberos tickets
>>>> 4. increase samba logging and look in samba logs
>>>> 5. do you have a coorect principal in ipa?
>>>>
>>>> regards,
>>>>
>>>> Kostya
>>>>
>>>>> please help.
>>>>>
>>>>> Thanks....
>>>>> Mahendra
>>>>>
>>>>>
>>>
>>
>
>
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
More information about the Freeipa-users
mailing list