[Freeipa-users] FreeIPA 3.3.3-28 Integration with Samba 4.1.1-37 Problems
Clint Savage
herlo1 at gmail.com
Wed Oct 29 16:37:18 UTC 2014
Interestingly enough, I have almost the same setup here.
I did an ipa-server install, then did ipa-adtrust-install. Afterward, I
went through and grabbed the configs with 'net conf list' and modified it
to use my shares. This one is just my testing, but the production one works
perfectly!
How did you import your users? I did mine my setting up an openldap and
importing an ldif with the proper DN values. Then ran ipa migrate-ds. In
some cases, certain data didn't migrate, so I added that with ldapmodify as
necessary.
Here's what my samba config looks like with 'net conf list'. It seems it's
pretty much the same as yours. Except for mine working, of course.
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
max log size = 100000
disable spoolss = Yes
domain logons = Yes
domain master = Yes
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap suffix = dc=example,dc=com
ldap ssl = no
ldap user suffix = cn=users,cn=accounts
registry shares = Yes
create krb5 conf = No
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
[homes]
browseable = no
comment = Home Directories
read only = no
[share1]
browseable = yes
read only = no
path = /srv/samba/share1
comment = Temporary Public Share
valid users = @testgroup
Cheers,
herlo
On Tue, Oct 28, 2014 at 12:36 PM, Jason Smith <jasonsmith at attask.com> wrote:
> A little history. We migrated from an OpenLDAP system to FreeIPA. The
> IPA version is listed above. I have samba installed and integrated
> directly on the FreeIPA box.
> The problem we're having are users who were migrated can no longer can see
> the samba shares. We are connecting to these shares through Mac OSX. When
> accessing the share with smbclient -L mydomain at domain.com I get the
> response *session setup failed: NT_STATUS_CONNECTION_DISCONNECTED. *This
> is the response I get when connected to the FreeIPA/Samba box.
>
> Users were able to access these shares, then overnight, they weren't. No
> changes were made to the samba config or the FreeIPA. *Any new user
> created through FreeIPA can see and browse any share they have access to.*
>
> If there's any other information needed, please let me know. Thank you!!!
>
> Below are a couple configs I have set:
>
> *Samba global settings*
> [global]
> workgroup = ATTASK
> netbios name = IPA01
> realm = ATTASK.CORP
> passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket
> kerberos method = dedicated keytab
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> log file = /var/log/samba/log.%m
> max log size = 100000
> disable spoolss = Yes
> domain logons = Yes
> domain master = Yes
> ldap group suffix = cn=groups,cn=accounts
> ldap machine suffix = cn=computers,cn=accounts
> ldap suffix = dc=attask,dc=corp
> ldap ssl = no
> ldap user suffix = cn=users,cn=accounts
> registry shares = Yes
> create krb5 conf = No
> rpc_daemon:lsasd = fork
> rpc_daemon:epmd = fork
> rpc_server:tcpip = yes
> rpc_server:netlogon = external
> rpc_server:samr = external
> rpc_server:lsasd = external
> rpc_server:lsass = external
> rpc_server:lsarpc = external
> rpc_server:epmapper = external
> ldapsam:trusted = yes
> idmap config * : backend = tdb
>
> *User Not Working:*
> dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp
> uid: test
> sn: test
> cn: test
> mail: test at test.com
> nsaccountlock: False
> has_password: True
> has_keytab: True
> dialupAccess: yes
> displayName: test test
> emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw==
> gidNumber: 107001365
> givenName: test
> homeDirectory: /home/test
> ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355
> ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7
> krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA=
> krbLastFailedAuth: 20141028151647Z
> krbLastPwdChange: 20141028152120Z
> krbLastSuccessfulAuth: 20141028152012Z
> krbLoginFailedCount: 0
> krbPasswordExpiration: 20150122152120Z
> krbPrincipalName: test at ATTASK.CORP
> krbTicketFlags: 128
> loginShell: /sbin/nologin
> memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp
> memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp
> memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: organizationalperson
> objectClass: top
> objectClass: customPersonAttributes
> objectClass: ipasshuser
> objectClass: inetorgperson
> objectClass: sambaSamAccount
> objectClass: person
> objectClass: inetuser
> objectClass: krbprincipalaux
> objectClass: radiusProfile
> objectClass: posixaccount
> objectClass: ipaSshGroupOfPubKeys
> objectClass: ipantuserattrs
> radiusTunnelMediumType: IEEE-802
> radiusTunnelPrivateGroupId: 1424
> radiusTunnelType: VLAN
> sambaPwdLastSet: 0
> sambaSID: S-1-5-21-1103557689-1565082434-1264062975-5622
> uidNumber: 107001355
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141029/3da151e1/attachment.htm>
More information about the Freeipa-users
mailing list