[Freeipa-users] ipa <-> samba

[Torsten Scholak]

Hi there,

I am considering to set up a smb2 server intended for certain windows machines and macs that are not member of the kerberos realm and hence not single sign-on enabled (read: guest machines).

The server for the smb service runs a fresh Fedora 20 and is also holding an ipa replica.

Let me strees that I don't need a domain controller nor the synchronization to one, just a way to allow samba to lookup and authenticate against credentials provided by freeipa. This is just a pet project in a non-production environment (home).

I searched around a bit and found a number of guides and mailing list posts, e.g.
https://www.mail-archive.com/freeipa-users@redhat.com/msg04928.html
However, information tends to be scarce, scattered, and incomplete. Since most of it is rather old, I worry that it is horribly outdated.

Today, how would I go about this?
Is this configuration at all supported?
Do I get samba 3 or samba 4 for that job?
Do I use ldapsam as passdb backend?
Do I need to extend the schema?
Which attributes/objectclasses do users and groups have to have in order to work with samba?
Do they have to be converted to posix objects?
What is ipa-sam? Is there any documentation for ipa-sam?

I'm not requesting a full step-by-step tutorial here, I just hope someone can point me in the right direction.

Best,
Torsten