[Freeipa-users] Re: ipa-user backend for samba

Tue Mar 24 08:26:53 UTC 2009

Hi,

mahen wrote:
> Hi,
> It worked. Instead of IP address we need to use FQDN name of SambaServer
> from windows client. If you use ip address, DOMAIN field becomes empty
> (samba log observation).
> 

It is natural to use the first part only in windows like "samba" from 
"samba.example.com". For this you need principal cifs/samba at EXAMPLE.COM.

> Can I protect individual user profile (should be accessable to the
> respective user only) of ipa users in windows machine.
> 
> 1.  when i do mapuser in windows xp, all ipa-users get mapped to the
> single windows user.In that case, all ipa-user profile (desktop) becomes
> one.
> 
> 2. If I map individual users (one to one), i have to create local users
> for each ipa-user. 
> 
> I dont want to create local users for each ipa-users and still I want to
> protect ipa-user profiles privacy. (Somewhat similar to basic ADS)
> 

As I wrote:
/*
The next part, i.e. making network users is said to be impossible though 
it may be possible by the following trick:

http://support.microsoft.com/kb/320043

The local test user is created but the path for home directory depends 
on environment variable %username% that might be substituted with ipa 
username after login and hence different users mapped to a single one 
get different homes.

I didn't test that.
*/

Best regards,

Kostya

> Can you through some light on this also?
> 
> Thank..
> Mahendra
> 
>  
> 
> On Fri, 2009-03-20 at 14:19 +0300, Konstantin Kozlov wrote:
>> Hi,
>>
>> I've got the point but the error you've posted was from smbclient not winxp.
>>
>> What happens when you try from winxp with ipauser?
>> Samba log and kerberos log and other if you think it's relevant.
>>
>> Kostya
>>
>> mahen wrote:
>>> :)
>>>
>>> I want to access samba share from windows xp (ipa-client) using
>>> ipa-user authentication.
>>>
>>>
>>> On Fri, 2009-03-20 at 12:41 +0300, Konstantin Kozlov wrote:
>>>> Hi,
>>>>
>>>> What's the problem then?
>>>>
>>>> Kostya
>>>>
>>>> mahen wrote:
>>>>> Hi,
>>>>>
>>>>> In both the cases( ipa-user @ ipa-server and ipa-user @ ipa-client)
>>>>> smbclient -k works fine.
>>> 	This ipa-client is a FC9 machine where smbclient -k works when i log in
>>> as an ipa-user.
>>>>> mahendra
>>>>>
>>>>> On Fri, 2009-03-20 at 12:12 +0300, Konstantin Kozlov wrote:
>>>>>> Hi,
>>>>>>
>>>>>> mahen wrote:
>>>>>>> Hi,
>>>>>>> well these are the steps.... 
>>>>>>>
>>>>>>> 1. ipaserver as server
>>>>>>> 2. sambaserver + ipaclient as smbserver
>>>>>>> 3. winXP ipa-client as ipa-client
>>>>>>>
>>>>>>> In IPA-Server:
>>>>>>> ipa-addservice cifs/sambaserver.example.com
>>>>>>>
>>>>>>> In SambaServer:
>>>>>>> kinit admin at EXAMPLE.COM
>>>>>>> ipa-getkeytab -s ipaserver.example.com -p cifs/sambaserver.example.com
>>>>>>> -k /etc/krb5.keytab
>>>>>>>
>>>>>>> The two key paramters of smb.conf related to kerberos are
>>>>>>> realm = EXAMPLE.COM
>>>>>>> use kerberos keytab = yes.
>>>>>>>
>>>>>>> SAMBASERVER WORKS FINE AS AN IPA-CLIENT.
>>>>>>>
>>>>>> What happens when you log into ipaserver as ipauser and try smbclient?
>>>>>> What happens when you log into ipaclient as ipauser and try smbclient?
>>>>> 
>>>>>
>>>>>
>>>>>> Kostya
>>>>>>
>>>>>>> Please let me know if i have missed out any configuration.
>>>>>>>
>>>>>>> Thanks.
>>>>>>> mahendra
>>>>>>>
>>>>>>> On Fri, 2009-03-20 at 11:10 +0300, Konstantin Kozlov wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> it works for me.
>>>>>>>>
>>>>>>>> mahen wrote:
>>>>>>>>> Hi,
>>>>>>>>> Can I use IPA users as backend for samba i.e. can I access samba share
>>>>>>>>> from windows system (XP) using ipa user authentication.
>>>>>>>>>
>>>>>>>> I am using it that way.
>>>>>>>>
>>>>>>>>> My settings are exactly the way it has been specified in the given
>>>>>>>>> document.
>>>>>>>>> http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
>>>>>>>>>
>>>>>>>>> I think "passdb" parameter of smb.conf should point to IPA user database
>>>>>>>>> but don't know how to do that.
>>>>>>>>>
>>>>>>>> Well, samba is looking in Kerberos that is looking in LDAP, so my 
>>>>>>>> understanding is that 'passdb' is not used.
>>>>>>>>
>>>>>>>>> currently it is pointing to smbpasswd as per the above document. 
>>>>>>>>> With the current setup, I can access samba shares with smbclient -L
>>>>>>>>> sambaserver.example.com command.
>>>>>>>>>
>>>>>>>> Under ipa-user? What kerberos ticket do you have in that case? From what 
>>>>>>>> machine?
>>>>>>>>
>>>>>>>>> But smbclient -k -L sambaserver.example.com gives me error.
>>>>>>>>> "cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>>>>>>>>> session setup failed: NT_STATUS_LOGON_FAILURE"
>>>>>>>>>
>>>>>>>> Well I am not very good specialist in samba but I think you must check 
>>>>>>>> the following:
>>>>>>>>
>>>>>>>> 1. firewalls
>>>>>>>> 2. time sync
>>>>>>>> 3. kerberos tickets
>>>>>>>> 4. increase samba logging and look in samba logs
>>>>>>>> 5. do you have a coorect principal in ipa?
>>>>>>>>
>>>>>>>> regards,
>>>>>>>>
>>>>>>>> Kostya
>>>>>>>>
>>>>>>>>> please help.
>>>>>>>>>
>>>>>>>>> Thanks....
>>>>>>>>> Mahendra
>>>>>>>>>
>>>>>>>>>
>>>
>>
> 
> 