[Freeipa-users] Ubuntu Samba Server Auth against IPA

Christopher Lamb christopher.lamb at ch.ibm.com
Mon Aug 3 07:53:43 UTC 2015 

Hi Matt

Thankfully I saved the output from those ldapmodify commands (against
FreeIPA 4.1) and was able to find it again!

In our case sambagrouptype also seems to have already been present, so that
should not hurt.

[root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF
> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
> changetype: add
> add: ipaCustomFields
> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
> EOF
SASL/GSSAPI authentication started
SASL username: lamb at MY.SILLY.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com"
ldap_add: Already exists (68)

Chris




From:	"Matt ." <yamakasi.014 at gmail.com>
To:
Cc:	"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date:	02.08.2015 13:33
Subject:	Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Sent by:	freeipa-users-bounces at redhat.com



Chris,

Are you doing this on 3.x or also 4.x ?

As the following already exists:

ldapmodify -Y GSSAPI <<EOF
dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
changetype: add
add: ipaCustomFields
ipaCustomFields: "Samba Group Type,sambagrouptype,true"
EOF


And I'm unsure about the pyton files are they are sligtly different on 4.1


Thanks!


2015-08-01 19:51 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
> Hi,
>
> Yes I found that earlier, that looks good and even better when you
> confirm this as really usable.
>
> For Samba 4 the IPA devs are very busy but I wonder indeed what
> happends when we "need" to move because integration has been improved.
>
> I try to keep IPA as native as I can.
>
> So this is the best way to go for now, even when this thread is such
"old" ?
>
> Thanks!
>
> Matt
>
>
> 2015-08-01 9:48 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
>> Hi Matt
>>
>> For a "how to" of Samba FreeIPA integration using schema extensions, see
>> this previous thread
>>
>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>>
>> That should point to this techslaves article with the detailed
instructions
>> that we followed:
>>
>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>>
>> The main reason we went that way is that we have no AD domain, which
seems
>> to be required by other integration paths.
>>
>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now
7.x).
>> So things may be different on Ubuntu.
>>
>> As always, when changing the LDAP schema, an LDAP browser like Apache
>> Directory Studio is very useful to visualise what is going on and to
verify
>> if your changes are present! (and is sometime easier to manually change
>> attributes rather than by LDAPMODIFY script....)
>>
>> There is another ongoing thread in this mailing list about problems with
>> the attribute SambaPwdLastSet.
>>
>> Chris
>>
>>
>>
>> From:   "Matt ." <yamakasi.014 at gmail.com>
>> To:
>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> Date:   31.07.2015 16:58
>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>> Sent by:        freeipa-users-bounces at redhat.com
>>
>>
>>
>> Hi,
>>
>> This is nice to have confirmed.
>>
>> Is it possible for you to descrive what you do ? It might be handy to
>> add this to the IPA documentation also with some explanation why...
>>
>> Cheers,
>>
>> Matt
>>
>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb
<christopher.lamb at ch.ibm.com>:
>>> Hi
>>>
>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the
>>> "shares" using their FreeIPA credentials. The only password mgmt
problem
>>> that we have is, that the users get no notice of password expiry until
>>> "suddenly" their Samba user (really the FreeIPA user) password is not
>>> accepted when trying to connect to a share. Once the password is reset
>> (via
>>> CLI or FreeIPA WebUi), they can access the shares again.
>>>
>>> Chris
>>>
>>>
>>>
>>> From:   Youenn PIOLET <piolet.y at gmail.com>
>>> To:     "Matt ." <yamakasi.014 at gmail.com>
>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>> Date:   31.07.2015 16:21
>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>>> Sent by:        freeipa-users-bounces at redhat.com
>>>
>>>
>>>
>>> Hi,
>>> I asked the very same question a few weeks ago, but no answer yet.
>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>>
>>> The only method I see is to install samba extensions in FreeIPA's LDAP
>>> directory, and bind samba with LDAP. There may be a lot of difficulties
>>> with password management doing this, that's why I'd like to get a
better
>>> solution :)
>>>
>>> Anyone?
>>>
>>>
>>> --
>>> Youenn Piolet
>>> piolet.y at gmail.com
>>>
>>>
>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>   Hi Guys,
>>>
>>>   I'm really struggeling getting a NON AD Samba server authing against
a
>>>   FreeIPA server:
>>>
>>>   Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>>>   CentOS 7.1 -> FreeIPA 4.1
>>>
>>>   Now this seems to be the way:
>>>
>>>
>>
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>
>>>
>>>   But as this, which I also found on the mailinglists:
>>>
>>>   NOTE: Only Kerberos authentication will work when accessing Samba
>>>   shares using this method. This means that Windows clients not joined
>>>   to Active Directory forest trusted by IPA would not be able to access
>>>   the shares. This is related to SSSD not yet being able to handle
>>>   NTLMSSP authentication.
>>>
>>>   It might not be that easy to have a Samba Shares only server.
>>>
>>>   Any idea here how to accomplish ?
>>>
>>>   Cheers,
>>>
>>>   Matt
>>>
>>>   --
>>>   Manage your subscription for the Freeipa-users mailing list:
>>>   https://www.redhat.com/mailman/listinfo/freeipa-users
>>>   Go to http://freeipa.org for more info on the project
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list