[Freeipa-users] Woes adding a samba server to the ipa domain

Dmitri Pal dpal at redhat.com
Tue Oct 21 01:19:20 UTC 2014

On 10/20/2014 09:15 AM, Loris Santamaria wrote:
> Hi all,
> I wanted to install a samba server (or more precisely a winbind server
> for pptp authentication) in a IPA domain which trusts an AD domain.
> I know that this configuration is not supported but since it works with
> plain samba or samba+ldap I wanted to get it a shot to see how far one
> could get.
> First step, added a group for Domain Computers in ipa, with SID
> S-1-XXXX-515:
> dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY
> ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515
> objectClass: top
> objectClass: groupofnames
> objectClass: nestedgroup
> objectClass: ipausergroup
> objectClass: ipaobject
> objectClass: posixgroup
> objectClass: ipantgroupattrs
> cn: domaincomputers
> description: domain computers
> ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb
> gidNumber: 1870500500
> Second step, added posix attributes to the ipa host object where samba
> would be installed, added SID information, and made it a member of the
> domain computers group:
> dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX
> displayName: gcentralproxy
> sn: proxy
> givenName: gcentral
> gecos: gcentralproxy
> uidNumber: 1870400015
> gidNumber: 1870500500
> homeDirectory: /dev/null
> loginShell: /sbin/nologin
> uid: gcentralproxy$
> ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301
> cn: gcentralproxy.cosmeticosgenesis.com
> objectClass: ipaobject
> objectClass: nshost
> objectClass: ipahost
> objectClass: pkiuser
> objectClass: ipaservice
> objectClass: krbprincipalaux
> objectClass: krbprincipal
> objectClass: ieee802device
> objectClass: ipasshhost
> objectClass: top
> objectClass: ipaSshGroupOfPubKeys
> objectClass: ipantuserattrs
> objectClass: posixAccount
> objectClass: inetorgperson
> objectClass: organizationalPerson
> objectClass: person
> fqdn: gcentralproxy.YYYYY
> krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com at YYYY
> serverHostName: gcentralproxy
> Third step, I added a cifs service for the host in ipa, and exported the
> keytab on the samba server.
> Fourth step, added a simple samba configuration file on the future samba
> server:
> [global]
> 	workgroup = YYYY
> 	realm = XXXX
> 	dedicated keytab file = FILE:/etc/samba/samba.keytab
> 	kerberos method = dedicated keytab
> 	log file = /var/log/samba/log.%m
> 	max log size = 100000
> 	security = domain
> Trying to join the server to the domain (net rpc join -U domainadmin -S
> ipaserver) fails, and it causes a samba crash on the ipa server.
> Investigating the cause of the crash I found that pdbedit crashes as
> well (backtrace attached). I couldn't get a meaningful backtrace from
> the samba crash however I attached it as well.
> Seems to me that the samba ipasam backend on ipa doesn't like something
> in the host or the "domain computers" group object in ldap, but I cannot
> see what could be the problem. Perhaps someone more familiar with the
> ipasam code can spot it quickly.
> Best regards

Do I get it right that you really looking for 
https://fedorahosted.org/sssd/ticket/1588 that was just released upstream?
It would be cool if you can try using SSSD 1.12.1 under Samba FS in the 
use case you have and provide feedback on how it works for you.

AFAIU you install Samba FS and then use ipa-client to configure SSSD 
under it and it should work.
If not we probably should document it (but I do not see any special 
design page which leads me to the above expectation).

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141020/2e5c3978/attachment.htm>

More information about the Freeipa-users mailing list