[Freeipa-users] Re: ipa-user backend for samba
Konstantin Kozlov
kozlov at spbcas.ru
Fri Mar 20 11:19:02 UTC 2009
Hi,
I've got the point but the error you've posted was from smbclient not winxp.
What happens when you try from winxp with ipauser?
Samba log and kerberos log and other if you think it's relevant.
Kostya
mahen wrote:
> :)
>
> I want to access samba share from windows xp (ipa-client) using
> ipa-user authentication.
>
>
> On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote:
>> Hi,
>>
>> What's the problem then?
>>
>> Kostya
>>
>> mahen wrote:
>>> Hi,
>>>
>>> In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client)
>>> smbclient -k works fine.
> This ipa-client is a FC9 machine where smbclient -k works when i log in
> as an ipa-user.
>>> mahendra
>>>
>>> On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote:
>>>> Hi,
>>>>
>>>> mahen wrote:
>>>>> Hi,
>>>>> well these are the steps....
>>>>>
>>>>> 1. ipaserver as server
>>>>> 2. sambaserver + ipaclient as smbserver
>>>>> 3. winXP ipa-client as ipa-client
>>>>>
>>>>> In IPA-Server:
>>>>> ipa-addservice cifs/sambaserver.example.com
>>>>>
>>>>> In SambaServer:
>>>>> kinit admin at EXAMPLE.COM
>>>>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com
>>>>> -k /etc/krb5.keytab
>>>>>
>>>>> The two key paramters of smb.conf related to kerberos are
>>>>> realm = EXAMPLE.COM
>>>>> use kerberos keytab = yes.
>>>>>
>>>>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT.
>>>>>
>>>> What happens when you log into ipaserver as ipauser and try smbclient?
>>>> What happens when you log into ipaclient as ipauser and try smbclient?
>>>
>>>
>>>
>>>> Kostya
>>>>
>>>>> Please let me know if i have missed out any configuration.
>>>>>
>>>>> Thanks.
>>>>> mahendra
>>>>>
>>>>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote:
>>>>>> Hi,
>>>>>>
>>>>>> it works for me.
>>>>>>
>>>>>> mahen wrote:
>>>>>>> Hi,
>>>>>>> Can I use IPA users as backend for samba i.e. can I access samba share
>>>>>>> from windows system (XP) using ipa user authentication.
>>>>>>>
>>>>>> I am using it that way.
>>>>>>
>>>>>>> My settings are exactly the way it has been specified in the given
>>>>>>> document.
>>>>>>> http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
>>>>>>>
>>>>>>> I think "passdb" parameter of smb.conf should point to IPA user database
>>>>>>> but don't know how to do that.
>>>>>>>
>>>>>> Well, samba is looking in Kerberos that is looking in LDAP, so my
>>>>>> understanding is that 'passdb' is not used.
>>>>>>
>>>>>>> currently it is pointing to smbpasswd as per the above document.
>>>>>>> With the current setup, I can access samba shares with smbclient -L
>>>>>>> sambaserver.example.com command.
>>>>>>>
>>>>>> Under ipa-user? What kerberos ticket do you have in that case? From what
>>>>>> machine?
>>>>>>
>>>>>>> But smbclient -k -L sambaserver.example.com gives me error.
>>>>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>>>>>>> session setup failed: NT_STATUS_LOGON_FAILURE"
>>>>>>>
>>>>>> Well I am not very good specialist in samba but I think you must check
>>>>>> the following:
>>>>>>
>>>>>> 1. firewalls
>>>>>> 2. time sync
>>>>>> 3. kerberos tickets
>>>>>> 4. increase samba logging and look in samba logs
>>>>>> 5. do you have a coorect principal in ipa?
>>>>>>
>>>>>> regards,
>>>>>>
>>>>>> Kostya
>>>>>>
>>>>>>> please help.
>>>>>>>
>>>>>>> Thanks....
>>>>>>> Mahendra
>>>>>>>
>>>>>>>
>>>
>>
>
>
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
More information about the Freeipa-users
mailing list