[Freeipa-users] Woes adding a samba server to the ipa domain

John Obaterspok john.obaterspok at gmail.com
Wed Oct 29 20:40:33 UTC 2014


Hello,

I've tried this as well. My IPA is not connected to an AD. My smb.conf
looks almost the same. The differences are:
- I got the default workgroup set (MY or something)
- No FILE:/ prefix for keytab file

I had the samba and ipserver on the same box so I just had to add the cifs
server and get keytab file in the same way.
I was a bit surprised to see that accessing samba using "smbclient -k
\\..." worked right away from a linux box. Then stopped working if I did
kdestroy.

*But,* I never got it to work from Windows. The Windows PC is not joined to
any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can
sshlogin via putty without password.

Any ideas on how to get this going from Windows as well?

-- john

2014-10-29 20:54 GMT+01:00 Loris Santamaria <loris at lgs.com.ve>:

> El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió:
> > On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote:
> > > El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió:
> > > > On 10/20/2014 09:15 AM, Loris Santamaria wrote:
> > >
> > > [...]
> > >
> > > > >
> > > > > Trying to join the server to the domain (net rpc join -U
> domainadmin -S
> > > > > ipaserver) fails, and it causes a samba crash on the ipa server.
> > > > > Investigating the cause of the crash I found that pdbedit crashes
> as
> > > > > well (backtrace attached). I couldn't get a meaningful backtrace
> from
> > > > > the samba crash however I attached it as well.
> > > > >
> > > > > Seems to me that the samba ipasam backend on ipa doesn't like
> something
> > > > > in the host or the "domain computers" group object in ldap, but I
> cannot
> > > > > see what could be the problem. Perhaps someone more familiar with
> the
> > > > > ipasam code can spot it quickly.
> > >
> > > > Do I get it right that you really looking for
> > > > https://fedorahosted.org/sssd/ticket/1588 that was just released
> > > > upstream?
> > > > It would be cool if you can try using SSSD 1.12.1 under Samba FS in
> > > > the use case you have and provide feedback on how it works for you.
> > > >
> > > > AFAIU you install Samba FS and then use ipa-client to configure SSSD
> > > > under it and it should work.
> > > > If not we probably should document it (but I do not see any special
> > > > design page which leads me to the above expectation).
> > >
> > > Ok, I'll happily try sssd 1.12.1.
> > >
> > > Just a question, in smb.conf one should use "security = domain" or
> > > "security = ads"?
> >
> > 'ads' because we want to use Kerberos. But there some other
> > configuration options which needs attention, e.g. you have to create a
> > keytab for the cifs service and make it available to samba. I'll try to
> > set up an small howto page listing the needed steps and come back to you
> > early next week.
>
> It Works :D, and here is what I did:
>
> Test environment: One realm domain with two Centos 7 / ipa 3.3 masters,
> one trusted AD forest (windows 2008R2 controllers), one Centos 7 file
> server.
>
> Step 1) On the file server enable mkosek's COPR ipa repo:
> https://copr.fedoraproject.org/coprs/mkosek/freeipa/
>
> 2) Install required packages packages:
> yum -y install ipa-client sssd-libwbclient samba samba client
>
> 3) join file server to the ipa realm:
> ipa-client-install --mkhomedir
>
> Please note that this step fails, shortly after creating the keytab and
> configuring sssd, probably caused by the version mismatch between ipa
> server (3.3) and client (4.1). I will report the failure shortly.
> Because of the failure I had to complete part of the join procedure
> manually:
> authconfig --enablesssdauth --enablemkhomedir --update (on the client)
> ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server)
>
> 4) On the ipa server create the cifs principal for samba:
> ipa service-add cifs/sambatest.my.realm
>
> 5) Install keytab on the samba host:
> ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm
> -k /etc/samba/samba.keytab
>
> 6) Edit /etc/samba/smb.conf on the samba file server:
> [global]
>         workgroup = MY
>         realm = MY.REALM
>         dedicated keytab file = FILE:/etc/samba/samba.keytab
>         kerberos method = dedicated keytab
>         log file = /var/log/samba/log.%m
>         security = ads
>
> [homes]
>         browsable = no
>         writable = yes
>
> [shared]
>         path = /home/shared
>         writable = yes
>         browsable=yes
>         write list = @admins
>
> 7) To enable samba /home sharing one should turn on a selinux boolean:
> setsebool -P samba_enable_home_dirs on
>
> 8) restart samba
>
> Testing:
>
> On another linux member of the IPA domain it is possible to connect to
> the samba shares using smbclient -k :
> kinit user at MY.REALM
> smbclient -k -L sambatest.my.realm
> smbclient -k //sambatest.my.realm/shared
>
> On a windows machine, member of the AD domain it is possible to connect
> to the samba shares typing in the windows explorer location bar:
> \\sambatest.my.realm
> Also, if the ad user is an (indirect) member of the IPA admins group,
> thanks to the trust relationship, with the above smb.conf he may have
> write access to the \shared folder.
>
> Thanks to the ipa and sssd teams for this great enablement!
> --
> Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
> Links Global Services, C.A.            http://www.lgs.com.ve
> Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
> ------------------------------------------------------------
> "If I'd asked my customers what they wanted, they'd have said
> a faster horse" - Henry Ford
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141029/d978eba5/attachment.htm>


More information about the Freeipa-users mailing list