[Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu

[Alexander Bokovoy]

On Fri, 28 Mar 2014, Jason Woods wrote:
>Hi
>(Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.)
>
>> On 28 Mar 2014, at 11:32, Petr Spacek <pspacek at redhat.com> wrote:
>>
>> Please let us know if it worked for you or not. I'm curious! :-)
>
>I'm pretty curious too.
>
>I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I
>needed to add two patches though to 3.0 to fix 'valid users' group
>resolution and also performance. They're merged into master and 3.3
>and will be in RHEL 7.
>
>Apart from the patching it was easy to do - just needed ipa-server and
>ipa-server-adtrust installed and setup and it did all the config for me
>(the adtrust part sets up samba with ipasam.so for you).
>
>Problem is running ipasam.so without the ipa-server locally - is how to
>get it so the host can see ipaNTHash in the schema to check password.
>If ipa-server is local the host has access, otherwise it doesn't.
>
>So be good to find out what aci or service principal stuff makes that
>available in an elegant and secure way.
We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it
all and may be creating a simple configuration tool.

Timing is not yet defined.

-- 
/ Alexander Bokovoy