[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

On 10/20/2014 09:15 AM, Loris Santamaria wrote:
Hi all,

I wanted to install a samba server (or more precisely a winbind server
for pptp authentication) in a IPA domain which trusts an AD domain.

I know that this configuration is not supported but since it works with
plain samba or samba+ldap I wanted to get it a shot to see how far one
could get.

First step, added a group for Domain Computers in ipa, with SID

dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: domaincomputers
description: domain computers
ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb
gidNumber: 1870500500

Second step, added posix attributes to the ipa host object where samba
would be installed, added SID information, and made it a member of the
domain computers group:

dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX
displayName: gcentralproxy
sn: proxy
givenName: gcentral
gecos: gcentralproxy
uidNumber: 1870400015
gidNumber: 1870500500
homeDirectory: /dev/null
loginShell: /sbin/nologin
uid: gcentralproxy$
ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301
cn: gcentralproxy.cosmeticosgenesis.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: ipantuserattrs
objectClass: posixAccount
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
fqdn: gcentralproxy.YYYYY
krbPrincipalName: host/gcentralproxy cosmeticosgenesis com YYYY
serverHostName: gcentralproxy

Third step, I added a cifs service for the host in ipa, and exported the
keytab on the samba server.

Fourth step, added a simple samba configuration file on the future samba

	workgroup = YYYY
	realm = XXXX
	dedicated keytab file = FILE:/etc/samba/samba.keytab
	kerberos method = dedicated keytab
	log file = /var/log/samba/log.%m
	max log size = 100000
	security = domain

Trying to join the server to the domain (net rpc join -U domainadmin -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.

Seems to me that the samba ipasam backend on ipa doesn't like something
in the host or the "domain computers" group object in ldap, but I cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.

Best regards   

Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream?
It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you.

AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work.
If not we probably should document it (but I do not see any special design page which leads me to the above expectation).

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]