[Freeipa-users] Setting up samba with IPA
Dmitri Pal
dpal at redhat.com
Thu Feb 20 15:16:32 UTC 2014
On 02/20/2014 07:25 AM, Johan Petersson wrote:
> I do not have access to my lab environment at the moment to help you completely but this should put you on the right track i hope.
>
> This config enables Home Directories shared through NFS to IPA Linux Clients to also be accessible to Windows Clients through SAMBA when having a sync configuration between AD and IPA.
>
> System is a IPA client acting as NFS/SAMBA File Server
> The home directory is shared through NFS 4 krb5p and is automounted to Linux Clients.
> I presume that the IPA Client Configuration and NFS 4 shared Home Directories on the server are working properly already. You also need to have the AD/IPA sync and passsync working.
>
> Windows AD Server realm is adexample.com
>
> You can have more than one Kerberos realm in you krb5.conf so just add the AD realm under [realms] and [domain_realm].
>
> [realms]
> EXAMPLE.COM = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
> ADEXAMPLE.COM = {
> kdc = ad.adexample.com
> admin_server = ad.adexample.com
> default_domain = adexample.com
> }
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
> .adexample.com = ADEXAMPLE.COM
> adexample.com = ADEXAMPLE.COM
>
> /etc/nsswitch.conf:
>
> passwd: files sss winbind
> group: files sss winbind
>
> Try this config in smb.conf
> /etc/samba/smb.conf:
>
> workgroup = ADEXAMPLE
>
> security = ads
> passdb backend = tdbsam
> realm = ADEXAMPLE.COM
> encrypt passwords = yes
> domain master = no
> local master = no
> preferred master = no
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
> use sendfile = true
> idmap config * : backend = tdb
> idmap config * : range = 100000-299999
> idmap config TEST : backend = rid
> idmap config TEST : range = 10000-99999
>
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nested groups = yes
> winbind refresh tickets = yes
> template homedir = /home/%U
> template shell = /bin/bash
> client use spnego = yes
> client ntlmv2 auth = yes
> restrict anonymous = 2
>
>
> [homes]
> comment = Home Directories
> path = /home/%U
> browseable = no
> writable = yes
> valid users = %U
> force user = %U
> directory mode = 0700
> force directory mode = 0700
> create mode = 0600
> force create mode = 0600
> access based share enum = yes
> hide unreadable = yes
>
> If you use alternate home directory don't forget to set up SELinux for it properly with home_root_t/user_home_dir_t/user-home_t.
>
> Allow samba to share home directories:
>
> setsebool _P samba_enable_home_dirs on
>
> Join server to the AD:
> net ads join -U administrator
>
> Make sure smb and winbind are started and set to automatic start at reboots.
>
> Test that you get user and group information:
> wbinfo -u,getent passwd
> wbinfo -g,getent group
>
> Test:
> smbclient -L //servername.example.com -U username
>
> smbclient //servername.example.com/username -U username
>
> Try browse and create files/directories and check to see all permissions are 0700/0600 and the right user/group.
> Also don't forget to configure the Firewall on the server to allow for SAMBA.
Johan, would you mind creating a HOWTO page on FreeIPA wiki?
> Regards,
> Johan
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Wednesday, February 19, 2014 01:28
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Setting up samba with IPA
>
> This is what I'd like to do, Linux users have nfs with samba for windows users. From what I can read however to get smba to work with AD I have to alter kerberos which is set to IPA...so I dont understand how you have it working.
>
> Currently Im trying to get samba just to work with a password set via smbpasswd but this is also failing, not sure if its a IPA interference issue or something else...
>
>
> regards
>
> Steven J
> ________________________________________
> From: Johan Petersson<Johan.Petersson at sscspace.com>
> Sent: Tuesday, 18 February 2014 8:18 p.m.
> To: Steven Jones; freeipa-users at redhat.com; dpal at redhat.com
> Subject: RE: [Freeipa-users] Setting up samba with IPA
>
> One solution that i have tested myself is to have IPA and AD sync with Samba as a server in a 2012 R2 Server AD.
> For shared directories used both by Windows and Linux clients like Home i used NFS 4 with Kerberos for Linux and Samba ADS for Windows.
> Same user could log in from both Windows and Linux with same password through winsync and passsync and get secured access with proper permissions on directories and files.
> Tested this setup out while i wait for IPA being able to handle all user accounts an resources in an IPA - AD trust.
>
> Regards,
> Johan
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Tuesday, February 18, 2014 00:34
> To: freeipa-users at redhat.com; dpal at redhat.com
> Subject: Re: [Freeipa-users] Setting up samba with IPA
>
> Can we be clear here,
>
> Im not after SSO as such, I can sign in with the AD password but that is failing.
>
> Otherwise if I read you correctly I cant use IPA controlled samba with AD controlled windows hosts at all?
>
> So Im better to de-IPA samba and go back to the old samba method with a local password?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University ITS,
>
> Level 8 Rankin Brown Building,
>
> Wellington, NZ
>
> 6012
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com<freeipa-users-bounces at redhat.com> on behalf of Dmitri Pal<dpal at redhat.com>
> Sent: Tuesday, 18 February 2014 12:04 p.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Setting up samba with IPA
>
> On 02/17/2014 05:49 PM, Steven Jones wrote:
>> Hi,
>>
>> So what you are saying is AD clients and IPA enabled samba servers dont work as a solution yet?
>>
>> Ergo I have to remove IPA off the samba server?
> I think the setup when you have sync in place is a bit crafty.
> I know that people made it work in the past but with some assumptions
> that this is not an SSO.
> I mean you can't use a Window system and access Samba FS share when
> Samba FS is a member of IPA and IPA is in sync relations because user on
> Windows and user in IPA are two different users though they have same
> name Samba FS can't match the windows SID of the Windows user to the SID
> of the IPA user because there is no SID for IPA user.
> But on the other side I know that one can make Samba FS work with IPA,
> there have been articles about it. I am not sure what is the expectation
> about the clients in this case.
>
> The solution that we are working on is based on the trust. This part is
> not ready yet. Once ready Samba FS can be a member of the IPA domain,
> IPA would trust AD and then users from AD running Windows systems would
> be able to directly use Samba FS. This feature is in development right now.
>
>> regards
>>
>> Steven Jones
>>
>> ________________________________________
>> From: Alexander Bokovoy<abokovoy at redhat.com>
>> Sent: Tuesday, 18 February 2014 11:21 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Setting up samba with IPA
>>
>> On Mon, 17 Feb 2014, Steven Jones wrote:
>>> I seem to have got a RHEL6 workstation doing smbclient to an IPA samba
>>> enabled server OK.
>>>
>>>
>>> Is there a way to limit some users to CIFS only in IPA?
>> If you file system supports POSIX ACLs then simply set limits at the
>> file system level, it should work fine.
>>
>> http://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
>>
>>> Also however my AD connected windows7 machine with winsync and passsync
>>> in place to IPA wont connect. It doesnt seem to like the password....or
>>> user, unsure...
>> It doesn't like SID of that user and therefore doesn't think it is the
>> same user. There might be other reasons too, as we still haven't settled
>> down all bits to enable proper Windows integration for CIFS file
>> serving.
>>
>> --
>> / Alexander Bokovoy
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> This e-mail is private and confidential between the sender and the addressee.
> In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list