[Freeipa-users] Getting Samba3 and FreeIPAv3 working together

Dylan Evans devans01 at gmail.com
Tue Jun 3 14:37:05 UTC 2014 

Hello again,

Just realised by re-reading this thread that I still needed to create
the DNA plugin.

I've now done that and I can add users, sorry for being stupid...

Dylan.



On 3 June 2014 14:44, Dylan Evans <devans01 at gmail.com> wrote:
> Hi Petr & Sumit,
>
> I've been trying to get further with my setup.
>
> 1. Thanks Petr, the groups.js plugin seems to work fine, it shows the
> correct info on the GUI screen and seems to be ok.
>
> 2. Sumit, I'm afraid that I'm having a few more problems after running
> " ipa-adtrust-install --add-sids". I cannot now add any users on the
> server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I
> get the following error:
>
> GUI:
> IPA Error 4205
> missing attribute: "sambaSID" required by object class "sambaSamAccount"
>
> Command-line:
> ipa user-add test1234 .....
> ipa: ERROR: missing attribute "sambaSID" required by object class
> "sambaSamAccount"
>
> Also, when editing an existing user, there is no sambaSID field
> available to edit.
>
> If you have any ideas, please let me know.
>
> Thanks,
>
> Dylan.
>
>
> On 26 May 2014 11:40, Petr Vobornik <pvoborni at redhat.com> wrote:
>> On 23.5.2014 16:31, Dylan Evans wrote:
>>>
>>> Hi Sumit and Petr,
>>>
>>> Thanks both of you for your replies, I've now got to go and try to
>>> implement all your suggestions but I have some more questions, sorry!
>>> The guide at techslaves was fine, I just got stuck with the changes in
>>> the JavaScript packages and the Samba server questions.
>>>
>>> 1. Petr, I put your samba.js plugin into
>>> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack
>>> of JS knowledge, anything more than simple Bash scripts tends to leave
>>> me confused! Do I need to do anything else apart from restart the IPA
>>> service? I read your info at
>>> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the
>>> plugins have to be registered, but I couldn't work out if it's a
>>> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on
>>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py
>>> for the CLI as well.
>>
>>
>> Should be automatically handled by the plugin.py wsgi handler and related
>> logic in Web UI. Just make sure that the file and the directory have same
>> names (except the extension in file's case of course).
>>
>>
>>>
>>> 2. Sumit, thanks for the info on Samba, I'll have to leave that now
>>> and try it next week. BTW, the version of Samba I'm testing against is
>>> 3.6.9-168 on CentOS 6.5.
>>>
>>> Thanks again for your information and patience,
>>>
>>> Dylan.
>>>
>>> On 22 May 2014 14:19, Petr Vobornik <pvoborni at redhat.com> wrote:
>>>>
>>>> On 22.5.2014 14:19, Sumit Bose wrote:
>>>>>
>>>>>
>>>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote:
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I need some help with getting Samba and FreeIPA working together.
>>>>>>
>>>>>> I’ve been following the guide at
>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but
>>>>>> that seems quite out of date for IPAv3 and I need some help:
>>>>>
>>>>>
>>>>>
>>>>> yes, it is a bit outdated but still useful. Please note that we are
>>>>> currently working on making the integration of samba more easy. Recently
>>>>> I send a patch to the samba-technical mailing list with a library which
>>>>> would allow samba to use SSSD instead of winbind to look up users and
>>>>> SID-to-name mapping. Alexander is planning to go through the ipasam
>>>>> modules to see how to make integration with Samba file-servers more
>>>>> easy.
>>>>>
>>>>> But coming back to your questions.
>>>>>
>>>>>>
>>>>>> 1.       The guide deals with setting a Samba server SID for one Samba
>>>>>> server, but as we have multiple stand-alone Samba3 servers, which SID
>>>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I
>>>>>> have more than 1 plugin (seems unlikely)?
>>>>>
>>>>>
>>>>>
>>>>> 'net getlocalsid' returns the domain SID and since all you Samba
>>>>> file-servers are member of the IPA domain you can use a common SID here.
>>>>>
>>>>> With IPAv3 SID generation for users and groups is even more easy because
>>>>> you can get it for free by running ipa-adtrust-install (please use the
>>>>> option --add-sids) if you already have users and groups in your IPA
>>>>> server. This prepares the IPA server to be able to create trust
>>>>> relationships to Active Directory and one requirement here is that all
>>>>> users and groups have SID.
>>>>>
>>>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa
>>>>> trustconfig-show' will show the domain SID together with the DNS domain
>>>>> name and the NetBIOS domain name. On your Samba server you should set
>>>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA
>>>>> server after running ipa-adtrust-install for a config example).
>>>>>
>>>>> Additionally on your Samba servers you have to set the domain SID in
>>>>> /var/lib/samba/private/secrets.tdb  with tdbtool. You will need 3
>>>>> keys with the same SID
>>>>>
>>>>> SECRETS/SID/DOMNETBIOS  <- NetBIOS domain name, workgroup in smb.conf
>>>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in
>>>>>                                  smb.conf
>>>>> SECRETS/SID/CLINETBIOS  <- NetBIOS name of the client, 'netbios name' in
>>>>>                              smb.conf
>>>>>
>>>>> The SID has to be given in a special binary format. The easiest way to
>>>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the
>>>>> IPA server after running ipa-adtrust-install. The domain SID will always
>>>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence
>>>>> as data for the insert command of tdbtool.
>>>>>
>>>>> Now everything should be done with respect to SID handling.
>>>>>
>>>>>>
>>>>>> 2.       There’s no “/usr/share/ipa/ui/group.js” file to patch in
>>>>>> IPAv3. What do I need to patch instead?
>>>>>>
>>>>>> I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which
>>>>>> shows the need is there but I could do with getting it working ASAP.
>>>>>
>>>>>
>>>>>
>>>>> group.js is compliend with the other UI files in
>>>>> /usr/share/ipa/ui/js/freeipa/app.js (see
>>>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources
>>>>> for details). For your convenience I copied some section here:
>>>>>
>>>>> "The compiled Web UI layer is located in
>>>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from
>>>>> source git repository in `install/ui/src/freeipa/` directory to the
>>>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js`
>>>>> file). By doing that, next reload of Web UI will use source files
>>>>> (clearing browser cache may be required). After that all JavaScript
>>>>> errors will contain proper source code name and line number."
>>>>
>>>>
>>>>
>>>> Better approach is to create a custom UI plugin which would add those
>>>> fields. Since it's only 3 fields, I create an example which works on
>>>> FreeIPA
>>>> 4.0 and theoretically it should work on 3.2 as well:
>>>>
>>>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js
>>>>
>>>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory.
>>>>
>>>> I did not test it with backend (no labels + doesn't do anything).
>>>>
>>>> More about plugin development:
>>>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>>>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins
>>>>
>>>> Creating CLI plugin is IMO also better approach.
>>>>
>>>>
>>>>>
>>>>>>
>>>>>> I may be missing something obvious but some help would be greatly
>>>>>> appreciated!
>>>>>
>>>>>
>>>>>
>>>>> I hope my comments will help you. Feel free to ask for more help if
>>>>> needed. It would be nice to hear from any success as well.
>>>>>
>>>>> bye,
>>>>> Sumit
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Dylan.
>>>>>>
>>>>>> Background:
>>>>>>
>>>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme
>>>>>> to a multi-location/multi-national auth scheme which FreeIPA seems
>>>>>> ideally suited for.
>>>>>>
>>>>>>
>>>>>> Requirement: To continue to provide console/SSH and GUI/X logins to
>>>>>> Linux hosts, access to home and project directories via NFS from the
>>>>>> Linux machines using autofs/automount and access to Samba file-shares
>>>>>> from Windows machines but not using AD creds as this is a totally
>>>>>> separate environment. Several locations will each have a FreeIPA
>>>>>> replica server, NFS/Samba fileserver and “application” server.
>>>>>> Currently use 2 passwords for each user – one for NIS, one for Samba –
>>>>>> and need to consolidate to one password for everything.
>>>>>>
>>>>>>
>>>>>> Progress: Linux-based NFS stuff working fine – automount of home and
>>>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs
>>>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when
>>>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and
>>>>>> 3.3.5 on Fedora 20.
>>>>>>
>>>> --
>>>> Petr Vobornik
>>
>>
>>
>> --
>> Petr Vobornik

More information about the Freeipa-users mailing list