[Freeipa-users] Getting Samba3 and FreeIPAv3 working together

Tue Jun 3 13:44:10 UTC 2014

Hi Petr & Sumit,

I've been trying to get further with my setup.

1. Thanks Petr, the groups.js plugin seems to work fine, it shows the
correct info on the GUI screen and seems to be ok.

2. Sumit, I'm afraid that I'm having a few more problems after running
" ipa-adtrust-install --add-sids". I cannot now add any users on the
server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I
get the following error:

GUI:
IPA Error 4205
missing attribute: "sambaSID" required by object class "sambaSamAccount"

Command-line:
ipa user-add test1234 .....
ipa: ERROR: missing attribute "sambaSID" required by object class
"sambaSamAccount"

Also, when editing an existing user, there is no sambaSID field
available to edit.

If you have any ideas, please let me know.

Thanks,

Dylan.

On 26 May 2014 11:40, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 23.5.2014 16:31, Dylan Evans wrote:
>>
>> Hi Sumit and Petr,
>>
>> Thanks both of you for your replies, I've now got to go and try to
>> implement all your suggestions but I have some more questions, sorry!
>> The guide at techslaves was fine, I just got stuck with the changes in
>> the JavaScript packages and the Samba server questions.
>>
>> 1. Petr, I put your samba.js plugin into
>> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack
>> of JS knowledge, anything more than simple Bash scripts tends to leave
>> me confused! Do I need to do anything else apart from restart the IPA
>> service? I read your info at
>> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the
>> plugins have to be registered, but I couldn't work out if it's a
>> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on
>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py
>> for the CLI as well.
>
>
> Should be automatically handled by the plugin.py wsgi handler and related
> logic in Web UI. Just make sure that the file and the directory have same
> names (except the extension in file's case of course).
>
>
>>
>> 2. Sumit, thanks for the info on Samba, I'll have to leave that now
>> and try it next week. BTW, the version of Samba I'm testing against is
>> 3.6.9-168 on CentOS 6.5.
>>
>> Thanks again for your information and patience,
>>
>> Dylan.
>>
>> On 22 May 2014 14:19, Petr Vobornik <pvoborni at redhat.com> wrote:
>>>
>>> On 22.5.2014 14:19, Sumit Bose wrote:
>>>>
>>>>
>>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I need some help with getting Samba and FreeIPA working together.
>>>>>
>>>>> I’ve been following the guide at
>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but
>>>>> that seems quite out of date for IPAv3 and I need some help:
>>>>
>>>>
>>>>
>>>> yes, it is a bit outdated but still useful. Please note that we are
>>>> currently working on making the integration of samba more easy. Recently
>>>> I send a patch to the samba-technical mailing list with a library which
>>>> would allow samba to use SSSD instead of winbind to look up users and
>>>> SID-to-name mapping. Alexander is planning to go through the ipasam
>>>> modules to see how to make integration with Samba file-servers more
>>>> easy.
>>>>
>>>> But coming back to your questions.
>>>>
>>>>>
>>>>> 1.       The guide deals with setting a Samba server SID for one Samba
>>>>> server, but as we have multiple stand-alone Samba3 servers, which SID
>>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I
>>>>> have more than 1 plugin (seems unlikely)?
>>>>
>>>>
>>>>
>>>> 'net getlocalsid' returns the domain SID and since all you Samba
>>>> file-servers are member of the IPA domain you can use a common SID here.
>>>>
>>>> With IPAv3 SID generation for users and groups is even more easy because
>>>> you can get it for free by running ipa-adtrust-install (please use the
>>>> option --add-sids) if you already have users and groups in your IPA
>>>> server. This prepares the IPA server to be able to create trust
>>>> relationships to Active Directory and one requirement here is that all
>>>> users and groups have SID.
>>>>
>>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa
>>>> trustconfig-show' will show the domain SID together with the DNS domain
>>>> name and the NetBIOS domain name. On your Samba server you should set
>>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA
>>>> server after running ipa-adtrust-install for a config example).
>>>>
>>>> Additionally on your Samba servers you have to set the domain SID in
>>>> /var/lib/samba/private/secrets.tdb  with tdbtool. You will need 3
>>>> keys with the same SID
>>>>
>>>> SECRETS/SID/DOMNETBIOS  <- NetBIOS domain name, workgroup in smb.conf
>>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in
>>>>                                  smb.conf
>>>> SECRETS/SID/CLINETBIOS  <- NetBIOS name of the client, 'netbios name' in
>>>>                              smb.conf
>>>>
>>>> The SID has to be given in a special binary format. The easiest way to
>>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the
>>>> IPA server after running ipa-adtrust-install. The domain SID will always
>>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence
>>>> as data for the insert command of tdbtool.
>>>>
>>>> Now everything should be done with respect to SID handling.
>>>>
>>>>>
>>>>> 2.       There’s no “/usr/share/ipa/ui/group.js” file to patch in
>>>>> IPAv3. What do I need to patch instead?
>>>>>
>>>>> I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which
>>>>> shows the need is there but I could do with getting it working ASAP.
>>>>
>>>>
>>>>
>>>> group.js is compliend with the other UI files in
>>>> /usr/share/ipa/ui/js/freeipa/app.js (see
>>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources
>>>> for details). For your convenience I copied some section here:
>>>>
>>>> "The compiled Web UI layer is located in
>>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from
>>>> source git repository in `install/ui/src/freeipa/` directory to the
>>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js`
>>>> file). By doing that, next reload of Web UI will use source files
>>>> (clearing browser cache may be required). After that all JavaScript
>>>> errors will contain proper source code name and line number."
>>>
>>>
>>>
>>> Better approach is to create a custom UI plugin which would add those
>>> fields. Since it's only 3 fields, I create an example which works on
>>> FreeIPA
>>> 4.0 and theoretically it should work on 3.2 as well:
>>>
>>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js
>>>
>>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory.
>>>
>>> I did not test it with backend (no labels + doesn't do anything).
>>>
>>> More about plugin development:
>>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins
>>>
>>> Creating CLI plugin is IMO also better approach.
>>>
>>>
>>>>
>>>>>
>>>>> I may be missing something obvious but some help would be greatly
>>>>> appreciated!
>>>>
>>>>
>>>>
>>>> I hope my comments will help you. Feel free to ask for more help if
>>>> needed. It would be nice to hear from any success as well.
>>>>
>>>> bye,
>>>> Sumit
>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Dylan.
>>>>>
>>>>> Background:
>>>>>
>>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme
>>>>> to a multi-location/multi-national auth scheme which FreeIPA seems
>>>>> ideally suited for.
>>>>>
>>>>>
>>>>> Requirement: To continue to provide console/SSH and GUI/X logins to
>>>>> Linux hosts, access to home and project directories via NFS from the
>>>>> Linux machines using autofs/automount and access to Samba file-shares
>>>>> from Windows machines but not using AD creds as this is a totally
>>>>> separate environment. Several locations will each have a FreeIPA
>>>>> replica server, NFS/Samba fileserver and “application” server.
>>>>> Currently use 2 passwords for each user – one for NIS, one for Samba –
>>>>> and need to consolidate to one password for everything.
>>>>>
>>>>>
>>>>> Progress: Linux-based NFS stuff working fine – automount of home and
>>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs
>>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when
>>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and
>>>>> 3.3.5 on Fedora 20.
>>>>>
>>> --
>>> Petr Vobornik
>
>
>
> --
> Petr Vobornik