[Freeipa-users] Woes adding a samba server to the ipa domain
john.obaterspok at gmail.com
Wed Oct 29 20:40:33 UTC 2014
I've tried this as well. My IPA is not connected to an AD. My smb.conf
looks almost the same. The differences are:
- I got the default workgroup set (MY or something)
- No FILE:/ prefix for keytab file
I had the samba and ipserver on the same box so I just had to add the cifs
server and get keytab file in the same way.
I was a bit surprised to see that accessing samba using "smbclient -k
\\..." worked right away from a linux box. Then stopped working if I did
*But,* I never got it to work from Windows. The Windows PC is not joined to
any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can
sshlogin via putty without password.
Any ideas on how to get this going from Windows as well?
2014-10-29 20:54 GMT+01:00 Loris Santamaria <loris at lgs.com.ve>:
> El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió:
> > On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote:
> > > El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió:
> > > > On 10/20/2014 09:15 AM, Loris Santamaria wrote:
> > >
> > > [...]
> > >
> > > > >
> > > > > Trying to join the server to the domain (net rpc join -U
> domainadmin -S
> > > > > ipaserver) fails, and it causes a samba crash on the ipa server.
> > > > > Investigating the cause of the crash I found that pdbedit crashes
> > > > > well (backtrace attached). I couldn't get a meaningful backtrace
> > > > > the samba crash however I attached it as well.
> > > > >
> > > > > Seems to me that the samba ipasam backend on ipa doesn't like
> > > > > in the host or the "domain computers" group object in ldap, but I
> > > > > see what could be the problem. Perhaps someone more familiar with
> > > > > ipasam code can spot it quickly.
> > >
> > > > Do I get it right that you really looking for
> > > > https://fedorahosted.org/sssd/ticket/1588 that was just released
> > > > upstream?
> > > > It would be cool if you can try using SSSD 1.12.1 under Samba FS in
> > > > the use case you have and provide feedback on how it works for you.
> > > >
> > > > AFAIU you install Samba FS and then use ipa-client to configure SSSD
> > > > under it and it should work.
> > > > If not we probably should document it (but I do not see any special
> > > > design page which leads me to the above expectation).
> > >
> > > Ok, I'll happily try sssd 1.12.1.
> > >
> > > Just a question, in smb.conf one should use "security = domain" or
> > > "security = ads"?
> > 'ads' because we want to use Kerberos. But there some other
> > configuration options which needs attention, e.g. you have to create a
> > keytab for the cifs service and make it available to samba. I'll try to
> > set up an small howto page listing the needed steps and come back to you
> > early next week.
> It Works :D, and here is what I did:
> Test environment: One realm domain with two Centos 7 / ipa 3.3 masters,
> one trusted AD forest (windows 2008R2 controllers), one Centos 7 file
> Step 1) On the file server enable mkosek's COPR ipa repo:
> 2) Install required packages packages:
> yum -y install ipa-client sssd-libwbclient samba samba client
> 3) join file server to the ipa realm:
> ipa-client-install --mkhomedir
> Please note that this step fails, shortly after creating the keytab and
> configuring sssd, probably caused by the version mismatch between ipa
> server (3.3) and client (4.1). I will report the failure shortly.
> Because of the failure I had to complete part of the join procedure
> authconfig --enablesssdauth --enablemkhomedir --update (on the client)
> ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server)
> 4) On the ipa server create the cifs principal for samba:
> ipa service-add cifs/sambatest.my.realm
> 5) Install keytab on the samba host:
> ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm
> -k /etc/samba/samba.keytab
> 6) Edit /etc/samba/smb.conf on the samba file server:
> workgroup = MY
> realm = MY.REALM
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> kerberos method = dedicated keytab
> log file = /var/log/samba/log.%m
> security = ads
> browsable = no
> writable = yes
> path = /home/shared
> writable = yes
> write list = @admins
> 7) To enable samba /home sharing one should turn on a selinux boolean:
> setsebool -P samba_enable_home_dirs on
> 8) restart samba
> On another linux member of the IPA domain it is possible to connect to
> the samba shares using smbclient -k :
> kinit user at MY.REALM
> smbclient -k -L sambatest.my.realm
> smbclient -k //sambatest.my.realm/shared
> On a windows machine, member of the AD domain it is possible to connect
> to the samba shares typing in the windows explorer location bar:
> Also, if the ad user is an (indirect) member of the IPA admins group,
> thanks to the trust relationship, with the above smb.conf he may have
> write access to the \shared folder.
> Thanks to the ipa and sssd teams for this great enablement!
> Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
> Links Global Services, C.A. http://www.lgs.com.ve
> Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
> "If I'd asked my customers what they wanted, they'd have said
> a faster horse" - Henry Ford
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeipa-users