[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Woes adding a samba server to the ipa domain


I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are:
- I got the default workgroup set (MY or something)
- No FILE:/ prefix for keytab file

I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way.
I was a bit surprised to see that accessing samba using "smbclient -k \\..." worked right away from a linux box. Then stopped working if I did kdestroy.

But, I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password.

Any ideas on how to get this going from Windows as well?

-- john

2014-10-29 20:54 GMT+01:00 Loris Santamaria <loris lgs com ve>:
El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió:
> On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote:
> > El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió:
> > > On 10/20/2014 09:15 AM, Loris Santamaria wrote:
> >
> > [...]
> >
> > > >
> > > > Trying to join the server to the domain (net rpc join -U domainadmin -S
> > > > ipaserver) fails, and it causes a samba crash on the ipa server.
> > > > Investigating the cause of the crash I found that pdbedit crashes as
> > > > well (backtrace attached). I couldn't get a meaningful backtrace from
> > > > the samba crash however I attached it as well.
> > > >
> > > > Seems to me that the samba ipasam backend on ipa doesn't like something
> > > > in the host or the "domain computers" group object in ldap, but I cannot
> > > > see what could be the problem. Perhaps someone more familiar with the
> > > > ipasam code can spot it quickly.
> >
> > > Do I get it right that you really looking for
> > > https://fedorahosted.org/sssd/ticket/1588 that was just released
> > > upstream?
> > > It would be cool if you can try using SSSD 1.12.1 under Samba FS in
> > > the use case you have and provide feedback on how it works for you.
> > >
> > > AFAIU you install Samba FS and then use ipa-client to configure SSSD
> > > under it and it should work.
> > > If not we probably should document it (but I do not see any special
> > > design page which leads me to the above expectation).
> >
> > Ok, I'll happily try sssd 1.12.1.
> >
> > Just a question, in smb.conf one should use "security = domain" or
> > "security = ads"?
> 'ads' because we want to use Kerberos. But there some other
> configuration options which needs attention, e.g. you have to create a
> keytab for the cifs service and make it available to samba. I'll try to
> set up an small howto page listing the needed steps and come back to you
> early next week.

It Works :D, and here is what I did:

Test environment: One realm domain with two Centos 7 / ipa 3.3 masters,
one trusted AD forest (windows 2008R2 controllers), one Centos 7 file

Step 1) On the file server enable mkosek's COPR ipa repo:

2) Install required packages packages:
yum -y install ipa-client sssd-libwbclient samba samba client

3) join file server to the ipa realm:
ipa-client-install --mkhomedir

Please note that this step fails, shortly after creating the keytab and
configuring sssd, probably caused by the version mismatch between ipa
server (3.3) and client (4.1). I will report the failure shortly.
Because of the failure I had to complete part of the join procedure
authconfig --enablesssdauth --enablemkhomedir --update (on the client)
ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server)

4) On the ipa server create the cifs principal for samba:
ipa service-add cifs/sambatest.my.realm

5) Install keytab on the samba host:
ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm
-k /etc/samba/samba.keytab

6) Edit /etc/samba/smb.conf on the samba file server:
        workgroup = MY
        realm = MY.REALM
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        kerberos method = dedicated keytab
        log file = /var/log/samba/log.%m
        security = ads

        browsable = no
        writable = yes

        path = /home/shared
        writable = yes
        write list = @admins

7) To enable samba /home sharing one should turn on a selinux boolean:
setsebool -P samba_enable_home_dirs on

8) restart samba


On another linux member of the IPA domain it is possible to connect to
the samba shares using smbclient -k :
kinit user MY REALM
smbclient -k -L sambatest.my.realm
smbclient -k //sambatest.my.realm/shared

On a windows machine, member of the AD domain it is possible to connect
to the samba shares typing in the windows explorer location bar:
Also, if the ad user is an (indirect) member of the IPA admins group,
thanks to the trust relationship, with the above smb.conf he may have
write access to the \shared folder.

Thanks to the ipa and sssd teams for this great enablement!
Loris Santamaria   linux user #70506   xmpp:loris lgs com ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 lgs com ve
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]