[Freeipa-users] Samba 4 with IPA

Alexander Bokovoy abokovoy at redhat.com
Tue Apr 30 19:17:27 UTC 2013 

On Tue, 30 Apr 2013, Alexander Bokovoy wrote:
>On Tue, 30 Apr 2013, simon.williams at thehelpfulcat.com wrote:
>>That is actually pretty good news.  The real requirement is network
>>storage for the Windows workstations secured by FreeIPA authentication.
>>If I read what you’ve said correctly this is possible now.  I can live
>>with the magical incantations to enrol any new Windows machines for
>>now.  There are a few things that would work better if Windows thought
>>it was logging on to a domain, but we have lived without those features
>>for the last year.  Once a Windows machine has been set up correctly,
>>which can be a bit hit and miss, the authentication works flawlessly .
>To be clear, we have not tested this combination so you'll be in uncharted
>waters.
>
>Since TGT for these users would still be issued by FreeIPA KDC, it would
>include MS-PAC with SIDs of these users in FreeIPA domain -- once you
>have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
>be able to recognize them as FreeIPA users regardless where they come
>from -- IPA or Windows machines, as long as Kerberos is in use.
>
>Any reports of how such setup would actually behave are welcomed.
>
>>It sounds as though I can set up the file server now and then extend it
>>to do the AD DC bit when it is ready.
>
>>I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
>>anywhere is there?
>The only requirements for simplistic setup is to:
>1. run file server on IPA master (you can make a dedicated replica for that)
>2. run ipa-adtrust-install on that master to setup Samba configuration
>   and enable KDC + directory server to handle SIDs
>3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
>   uses registry backend to store smb.conf configuration.
>
>See
>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares
>for sample how to work with 'net conf setparm'.
>
>For 'valid users' I guess you can use simply user names since these
>would be our local ones.
>
>Again, this is completely untested right now.
So, I tried quick test for this, using admins group:

1. Setup shared space, apply SELinux context and modify ACLs:
[root at red samba-4.0.5]# mkdir /srv/testshare
[root at red samba-4.0.5]# chcon -t samba_share_t /srv/testshare
[root at red samba-4.0.5]# setfacl -m g:admins:rwx  /srv/testshare
[root at red samba-4.0.5]# getfacl /srv/testshare
getfacl: Removing leading '/' from absolute path names
# file: srv/testshare
# owner: root
# group: root
user::rwx
group::r-x
group:admins:rwx
mask::rwx
other::r-x

2. Create actual Samba share:
[root at red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N

3. Obtain TGT for Kerberos identity (admin, belongs to admins group):
[root at red samba-4.0.5]# kinit
Password for admin at BIRD.CLONE: 
[root at red samba-4.0.5]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at BIRD.CLONE

Valid starting       Expires              Service principal
30.04.2013 22:10:13  01.05.2013 22:10:11  krbtgt/BIRD.CLONE at BIRD.CLONE

Now try connecting to //red.bird.clone/testshare and use it (I've copied
few files in several sessions, showing last one):

[root at red samba-4.0.5]# smbclient -k //red.bird.clone/testshare
lp_load_ex: changing to config backend registry
Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5]
smb: \> dir
   .                                   D        0  Tue Apr 30 22:06:51 2013
   ..                                  D        0  Tue Apr 30 21:40:04 2013
   foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
   README                              A     7998  Tue Apr 30 22:06:51 2013

                 40918 blocks of size 262144. 19277 blocks available
smb: \> put WHATSNEW.txt 
putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s)
smb: \> dir
   .                                   D        0  Tue Apr 30 22:10:35 2013
   ..                                  D        0  Tue Apr 30 21:40:04 2013
   WHATSNEW.txt                        A    47112  Tue Apr 30 22:10:35 2013
   foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
   README                              A     7998  Tue Apr 30 22:06:51 2013

                 40918 blocks of size 262144. 19277 blocks available
smb: \>

Check status of the last copied file, notice permissions and SELinux
contet:
[root at red samba-4.0.5]#  stat /srv/testshare/WHATSNEW.txt 
   File: ‘/srv/testshare/WHATSNEW.txt’
   Size: 47112           Blocks: 96         IO Block: 4096   regular file
Device: fc03h/64515d    Inode: 153050      Links: 1
Access: (0744/-rwxr--r--)  Uid: (1564400000/   admin)   Gid: (1564400000/  admins)
Context: system_u:object_r:samba_share_t:s0
Access: 2013-04-30 22:10:35.484270784 +0300
Modify: 2013-04-30 22:10:35.580239030 +0300
Change: 2013-04-30 22:10:35.579270116 +0300
  Birth: -

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list