[Freeipa-users] Re: ipa-user backend for samba
mahen
mahendra at latticenetworks.com
Fri Mar 20 09:52:19 UTC 2009
:)
I want to access samba share from windows xp (ipa-client) using
ipa-user authentication.
>
On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote:
> Hi,
>
> What's the problem then?
>
> Kostya
>
> mahen wrote:
> > Hi,
> >
> > In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client)
> > smbclient -k works fine.
This ipa-client is a FC9 machine where smbclient -k works when i log in
as an ipa-user.
> >
> > mahendra
> >
> > On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote:
> >> Hi,
> >>
> >> mahen wrote:
> >>> Hi,
> >>> well these are the steps....
> >>>
> >>> 1. ipaserver as server
> >>> 2. sambaserver + ipaclient as smbserver
> >>> 3. winXP ipa-client as ipa-client
> >>>
> >>> In IPA-Server:
> >>> ipa-addservice cifs/sambaserver.example.com
> >>>
> >>> In SambaServer:
> >>> kinit admin at EXAMPLE.COM
> >>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com
> >>> -k /etc/krb5.keytab
> >>>
> >>> The two key paramters of smb.conf related to kerberos are
> >>> realm = EXAMPLE.COM
> >>> use kerberos keytab = yes.
> >>>
> >>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT.
> >>>
> >> What happens when you log into ipaserver as ipauser and try smbclient?
> >> What happens when you log into ipaclient as ipauser and try smbclient?
> >
> >
> >
> >> Kostya
> >>
> >>> Please let me know if i have missed out any configuration.
> >>>
> >>> Thanks.
> >>> mahendra
> >>>
> >>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote:
> >>>> Hi,
> >>>>
> >>>> it works for me.
> >>>>
> >>>> mahen wrote:
> >>>>> Hi,
> >>>>> Can I use IPA users as backend for samba i.e. can I access samba share
> >>>>> from windows system (XP) using ipa user authentication.
> >>>>>
> >>>> I am using it that way.
> >>>>
> >>>>> My settings are exactly the way it has been specified in the given
> >>>>> document.
> >>>>> http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
> >>>>>
> >>>>> I think "passdb" parameter of smb.conf should point to IPA user database
> >>>>> but don't know how to do that.
> >>>>>
> >>>> Well, samba is looking in Kerberos that is looking in LDAP, so my
> >>>> understanding is that 'passdb' is not used.
> >>>>
> >>>>> currently it is pointing to smbpasswd as per the above document.
> >>>>> With the current setup, I can access samba shares with smbclient -L
> >>>>> sambaserver.example.com command.
> >>>>>
> >>>> Under ipa-user? What kerberos ticket do you have in that case? From what
> >>>> machine?
> >>>>
> >>>>> But smbclient -k -L sambaserver.example.com gives me error.
> >>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
> >>>>> session setup failed: NT_STATUS_LOGON_FAILURE"
> >>>>>
> >>>> Well I am not very good specialist in samba but I think you must check
> >>>> the following:
> >>>>
> >>>> 1. firewalls
> >>>> 2. time sync
> >>>> 3. kerberos tickets
> >>>> 4. increase samba logging and look in samba logs
> >>>> 5. do you have a coorect principal in ipa?
> >>>>
> >>>> regards,
> >>>>
> >>>> Kostya
> >>>>
> >>>>> please help.
> >>>>>
> >>>>> Thanks....
> >>>>> Mahendra
> >>>>>
> >>>>>
> >>>
> >>
> >
> >
>
>
More information about the Freeipa-users
mailing list