[Freeipa-users] Re: ipa-user backend for samba
mahen
mahendra at latticenetworks.com
Tue Mar 24 08:10:12 UTC 2009
Hi,
It worked. Instead of IP address we need to use FQDN name of SambaServer
from windows client. If you use ip address, DOMAIN field becomes empty
(samba log observation).
Can I protect individual user profile (should be accessable to the
respective user only) of ipa users in windows machine.
1. when i do mapuser in windows xp, all ipa-users get mapped to the
single windows user.In that case, all ipa-user profile (desktop) becomes
one.
2. If I map individual users (one to one), i have to create local users
for each ipa-user.
I dont want to create local users for each ipa-users and still I want to
protect ipa-user profiles privacy. (Somewhat similar to basic ADS)
Can you through some light on this also?
Thank..
Mahendra
On Fri, 2009-03-20 at 14:19 +0300, Konstantin Kozlov wrote:
> Hi,
>
> I've got the point but the error you've posted was from smbclient not winxp.
>
> What happens when you try from winxp with ipauser?
> Samba log and kerberos log and other if you think it's relevant.
>
> Kostya
>
> mahen wrote:
> > :)
> >
> > I want to access samba share from windows xp (ipa-client) using
> > ipa-user authentication.
> >
> >
> > On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote:
> >> Hi,
> >>
> >> What's the problem then?
> >>
> >> Kostya
> >>
> >> mahen wrote:
> >>> Hi,
> >>>
> >>> In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client)
> >>> smbclient -k works fine.
> > This ipa-client is a FC9 machine where smbclient -k works when i log in
> > as an ipa-user.
> >>> mahendra
> >>>
> >>> On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote:
> >>>> Hi,
> >>>>
> >>>> mahen wrote:
> >>>>> Hi,
> >>>>> well these are the steps....
> >>>>>
> >>>>> 1. ipaserver as server
> >>>>> 2. sambaserver + ipaclient as smbserver
> >>>>> 3. winXP ipa-client as ipa-client
> >>>>>
> >>>>> In IPA-Server:
> >>>>> ipa-addservice cifs/sambaserver.example.com
> >>>>>
> >>>>> In SambaServer:
> >>>>> kinit admin at EXAMPLE.COM
> >>>>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com
> >>>>> -k /etc/krb5.keytab
> >>>>>
> >>>>> The two key paramters of smb.conf related to kerberos are
> >>>>> realm = EXAMPLE.COM
> >>>>> use kerberos keytab = yes.
> >>>>>
> >>>>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT.
> >>>>>
> >>>> What happens when you log into ipaserver as ipauser and try smbclient?
> >>>> What happens when you log into ipaclient as ipauser and try smbclient?
> >>>
> >>>
> >>>
> >>>> Kostya
> >>>>
> >>>>> Please let me know if i have missed out any configuration.
> >>>>>
> >>>>> Thanks.
> >>>>> mahendra
> >>>>>
> >>>>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> it works for me.
> >>>>>>
> >>>>>> mahen wrote:
> >>>>>>> Hi,
> >>>>>>> Can I use IPA users as backend for samba i.e. can I access samba share
> >>>>>>> from windows system (XP) using ipa user authentication.
> >>>>>>>
> >>>>>> I am using it that way.
> >>>>>>
> >>>>>>> My settings are exactly the way it has been specified in the given
> >>>>>>> document.
> >>>>>>> http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
> >>>>>>>
> >>>>>>> I think "passdb" parameter of smb.conf should point to IPA user database
> >>>>>>> but don't know how to do that.
> >>>>>>>
> >>>>>> Well, samba is looking in Kerberos that is looking in LDAP, so my
> >>>>>> understanding is that 'passdb' is not used.
> >>>>>>
> >>>>>>> currently it is pointing to smbpasswd as per the above document.
> >>>>>>> With the current setup, I can access samba shares with smbclient -L
> >>>>>>> sambaserver.example.com command.
> >>>>>>>
> >>>>>> Under ipa-user? What kerberos ticket do you have in that case? From what
> >>>>>> machine?
> >>>>>>
> >>>>>>> But smbclient -k -L sambaserver.example.com gives me error.
> >>>>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
> >>>>>>> session setup failed: NT_STATUS_LOGON_FAILURE"
> >>>>>>>
> >>>>>> Well I am not very good specialist in samba but I think you must check
> >>>>>> the following:
> >>>>>>
> >>>>>> 1. firewalls
> >>>>>> 2. time sync
> >>>>>> 3. kerberos tickets
> >>>>>> 4. increase samba logging and look in samba logs
> >>>>>> 5. do you have a coorect principal in ipa?
> >>>>>>
> >>>>>> regards,
> >>>>>>
> >>>>>> Kostya
> >>>>>>
> >>>>>>> please help.
> >>>>>>>
> >>>>>>> Thanks....
> >>>>>>> Mahendra
> >>>>>>>
> >>>>>>>
> >>>
> >>
> >
> >
>
>
More information about the Freeipa-users
mailing list