[Freeipa-users] FreeIPA 3.3.3-28 Integration with Samba 4.1.1-37 Problems

Clint Savage herlo1 at gmail.com
Wed Oct 29 16:37:18 UTC 2014


Interestingly enough, I have almost the same setup here.

I did an ipa-server install, then did ipa-adtrust-install. Afterward, I
went through and grabbed the configs with 'net conf list' and modified it
to use my shares. This one is just my testing, but the production one works
perfectly!

How did you import your users? I did mine my setting up an openldap and
importing an ldif with the proper DN values. Then ran ipa migrate-ds. In
some cases, certain data didn't migrate, so I added that with ldapmodify as
necessary.

Here's what my samba config looks like with 'net conf list'. It seems it's
pretty much the same as yours. Except for mine working, of course.

[global]
    workgroup = EXAMPLE
    realm = EXAMPLE.COM
    passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
    dedicated keytab file = FILE:/etc/samba/samba.keytab
    kerberos method = dedicated keytab
    log file = /var/log/samba/log.%m
    max log size = 100000
    disable spoolss = Yes
    domain logons = Yes
    domain master = Yes
    ldap group suffix = cn=groups,cn=accounts
    ldap machine suffix = cn=computers,cn=accounts
    ldap suffix = dc=example,dc=com
    ldap ssl = no
    ldap user suffix = cn=users,cn=accounts
    registry shares = Yes
    create krb5 conf = No
    rpc_daemon:lsasd = fork
    rpc_daemon:epmd = fork
    rpc_server:tcpip = yes
    rpc_server:netlogon = external
    rpc_server:samr = external
    rpc_server:lsasd = external
    rpc_server:lsass = external
    rpc_server:lsarpc = external
    rpc_server:epmapper = external
    ldapsam:trusted = yes
    idmap config * : backend = tdb

[homes]
    browseable = no
    comment = Home Directories
    read only = no

[share1]
    browseable = yes
    read only = no
    path = /srv/samba/share1
    comment = Temporary Public Share
    valid users = @testgroup

Cheers,

herlo

On Tue, Oct 28, 2014 at 12:36 PM, Jason Smith <jasonsmith at attask.com> wrote:

> A little history.  We migrated from an OpenLDAP system to FreeIPA.  The
> IPA version is listed above.  I have samba installed and integrated
> directly on the FreeIPA box.
> The problem we're having are users who were migrated can no longer can see
> the samba shares.  We are connecting to these shares through Mac OSX.  When
> accessing the share with smbclient -L mydomain at domain.com I get the
> response *session setup failed: NT_STATUS_CONNECTION_DISCONNECTED.  *This
> is the response I get when connected to the FreeIPA/Samba box.
>
> Users were able to access these shares, then overnight, they weren't.  No
> changes were made to the samba config or the FreeIPA.  *Any new user
> created through FreeIPA can see and browse any share they have access to.*
>
> If there's any other information needed, please let me know.  Thank you!!!
>
> Below are a couple configs I have set:
>
> *Samba global settings*
> [global]
>     workgroup = ATTASK
>     netbios name = IPA01
>     realm = ATTASK.CORP
>     passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket
>     kerberos method = dedicated keytab
>     dedicated keytab file = FILE:/etc/samba/samba.keytab
>     log file = /var/log/samba/log.%m
>     max log size = 100000
>     disable spoolss = Yes
>     domain logons = Yes
>     domain master = Yes
>     ldap group suffix = cn=groups,cn=accounts
>     ldap machine suffix = cn=computers,cn=accounts
>     ldap suffix = dc=attask,dc=corp
>     ldap ssl = no
>     ldap user suffix = cn=users,cn=accounts
>     registry shares = Yes
>     create krb5 conf = No
>     rpc_daemon:lsasd = fork
>     rpc_daemon:epmd = fork
>     rpc_server:tcpip = yes
>     rpc_server:netlogon = external
>     rpc_server:samr = external
>     rpc_server:lsasd = external
>     rpc_server:lsass = external
>     rpc_server:lsarpc = external
>     rpc_server:epmapper = external
>     ldapsam:trusted = yes
>     idmap config * : backend = tdb
>
> *User Not Working:*
>  dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp
>   uid: test
>   sn: test
>   cn: test
>   mail: test at test.com
>   nsaccountlock: False
>   has_password: True
>   has_keytab: True
>   dialupAccess: yes
>   displayName: test test
>   emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw==
>   gidNumber: 107001365
>   givenName: test
>   homeDirectory: /home/test
>   ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355
>   ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7
>   krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA=
>   krbLastFailedAuth: 20141028151647Z
>   krbLastPwdChange: 20141028152120Z
>   krbLastSuccessfulAuth: 20141028152012Z
>   krbLoginFailedCount: 0
>   krbPasswordExpiration: 20150122152120Z
>   krbPrincipalName: test at ATTASK.CORP
>   krbTicketFlags: 128
>   loginShell: /sbin/nologin
>   memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp
>   memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp
>   memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp
>   objectClass: krbticketpolicyaux
>   objectClass: ipaobject
>   objectClass: organizationalperson
>   objectClass: top
>   objectClass: customPersonAttributes
>   objectClass: ipasshuser
>   objectClass: inetorgperson
>   objectClass: sambaSamAccount
>   objectClass: person
>   objectClass: inetuser
>   objectClass: krbprincipalaux
>   objectClass: radiusProfile
>   objectClass: posixaccount
>   objectClass: ipaSshGroupOfPubKeys
>   objectClass: ipantuserattrs
>   radiusTunnelMediumType: IEEE-802
>   radiusTunnelPrivateGroupId: 1424
>   radiusTunnelType: VLAN
>   sambaPwdLastSet: 0
>   sambaSID: S-1-5-21-1103557689-1565082434-1264062975-5622
>   uidNumber: 107001355
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141029/3da151e1/attachment.htm>


More information about the Freeipa-users mailing list