On 10/20/2014 09:15 AM, Loris Santamaria wrote:
Hi all, I wanted to install a samba server (or more precisely a winbind server for pptp authentication) in a IPA domain which trusts an AD domain. I know that this configuration is not supported but since it works with plain samba or samba+ldap I wanted to get it a shot to see how far one could get. First step, added a group for Domain Computers in ipa, with SID S-1-XXXX-515: dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515 objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup objectClass: ipantgroupattrs cn: domaincomputers description: domain computers ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb gidNumber: 1870500500 Second step, added posix attributes to the ipa host object where samba would be installed, added SID information, and made it a member of the domain computers group: dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX displayName: gcentralproxy sn: proxy givenName: gcentral gecos: gcentralproxy uidNumber: 1870400015 gidNumber: 1870500500 homeDirectory: /dev/null loginShell: /sbin/nologin uid: gcentralproxy$ ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301 cn: gcentralproxy.cosmeticosgenesis.com objectClass: ipaobject objectClass: nshost objectClass: ipahost objectClass: pkiuser objectClass: ipaservice objectClass: krbprincipalaux objectClass: krbprincipal objectClass: ieee802device objectClass: ipasshhost objectClass: top objectClass: ipaSshGroupOfPubKeys objectClass: ipantuserattrs objectClass: posixAccount objectClass: inetorgperson objectClass: organizationalPerson objectClass: person fqdn: gcentralproxy.YYYYY krbPrincipalName: host/gcentralproxy cosmeticosgenesis com YYYY serverHostName: gcentralproxy Third step, I added a cifs service for the host in ipa, and exported the keytab on the samba server. Fourth step, added a simple samba configuration file on the future samba server: [global] workgroup = YYYY realm = XXXX dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 100000 security = domain Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the "domain computers" group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Best regards
Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream?
It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you.
AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work.
If not we probably should document it (but I do not see any special design page which leads me to the above expectation).
-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.