[Freeipa-users] Ubuntu Samba Server Auth against IPA
Matt .
yamakasi.014 at gmail.com
Sat Aug 1 17:51:57 UTC 2015
Hi,
Yes I found that earlier, that looks good and even better when you
confirm this as really usable.
For Samba 4 the IPA devs are very busy but I wonder indeed what
happends when we "need" to move because integration has been improved.
I try to keep IPA as native as I can.
So this is the best way to go for now, even when this thread is such "old" ?
Thanks!
Matt
2015-08-01 9:48 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
> Hi Matt
>
> For a "how to" of Samba FreeIPA integration using schema extensions, see
> this previous thread
>
> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>
> That should point to this techslaves article with the detailed instructions
> that we followed:
>
> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>
> The main reason we went that way is that we have no AD domain, which seems
> to be required by other integration paths.
>
> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x).
> So things may be different on Ubuntu.
>
> As always, when changing the LDAP schema, an LDAP browser like Apache
> Directory Studio is very useful to visualise what is going on and to verify
> if your changes are present! (and is sometime easier to manually change
> attributes rather than by LDAPMODIFY script....)
>
> There is another ongoing thread in this mailing list about problems with
> the attribute SambaPwdLastSet.
>
> Chris
>
>
>
> From: "Matt ." <yamakasi.014 at gmail.com>
> To:
> Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Date: 31.07.2015 16:58
> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> Hi,
>
> This is nice to have confirmed.
>
> Is it possible for you to descrive what you do ? It might be handy to
> add this to the IPA documentation also with some explanation why...
>
> Cheers,
>
> Matt
>
> 2015-07-31 16:55 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
>> Hi
>>
>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the
>> "shares" using their FreeIPA credentials. The only password mgmt problem
>> that we have is, that the users get no notice of password expiry until
>> "suddenly" their Samba user (really the FreeIPA user) password is not
>> accepted when trying to connect to a share. Once the password is reset
> (via
>> CLI or FreeIPA WebUi), they can access the shares again.
>>
>> Chris
>>
>>
>>
>> From: Youenn PIOLET <piolet.y at gmail.com>
>> To: "Matt ." <yamakasi.014 at gmail.com>
>> Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> Date: 31.07.2015 16:21
>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>> Sent by: freeipa-users-bounces at redhat.com
>>
>>
>>
>> Hi,
>> I asked the very same question a few weeks ago, but no answer yet.
>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>
>> The only method I see is to install samba extensions in FreeIPA's LDAP
>> directory, and bind samba with LDAP. There may be a lot of difficulties
>> with password management doing this, that's why I'd like to get a better
>> solution :)
>>
>> Anyone?
>>
>>
>> --
>> Youenn Piolet
>> piolet.y at gmail.com
>>
>>
>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Guys,
>>
>> I'm really struggeling getting a NON AD Samba server authing against a
>> FreeIPA server:
>>
>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>> CentOS 7.1 -> FreeIPA 4.1
>>
>> Now this seems to be the way:
>>
>>
> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>
>>
>> But as this, which I also found on the mailinglists:
>>
>> NOTE: Only Kerberos authentication will work when accessing Samba
>> shares using this method. This means that Windows clients not joined
>> to Active Directory forest trusted by IPA would not be able to access
>> the shares. This is related to SSSD not yet being able to handle
>> NTLMSSP authentication.
>>
>> It might not be that easy to have a Samba Shares only server.
>>
>> Any idea here how to accomplish ?
>>
>> Cheers,
>>
>> Matt
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
More information about the Freeipa-users
mailing list