[Freeipa-users] Ubuntu Samba Server Auth against IPA

Matt . yamakasi.014 at gmail.com
Mon Aug 3 10:17:18 UTC 2015 

Hi Chris,

Thanks for that verification!

It seems that:

/usr/share/ipa/ui/group.js

Is not there on IPA.4.1, also there is no .js at all on the whole system.

Any idea there ?

Thanks again!

Matt

2015-08-03 9:53 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
> Hi Matt
>
> Thankfully I saved the output from those ldapmodify commands (against
> FreeIPA 4.1) and was able to find it again!
>
> In our case sambagrouptype also seems to have already been present, so that
> should not hurt.
>
> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF
>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>> changetype: add
>> add: ipaCustomFields
>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>> EOF
> SASL/GSSAPI authentication started
> SASL username: lamb at MY.SILLY.EXAMPLE.COM
> SASL SSF: 56
> SASL data security layer installed.
> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com"
> ldap_add: Already exists (68)
>
> Chris
>
>
>
>
> From:   "Matt ." <yamakasi.014 at gmail.com>
> To:
> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Date:   02.08.2015 13:33
> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
> Sent by:        freeipa-users-bounces at redhat.com
>
>
>
> Chris,
>
> Are you doing this on 3.x or also 4.x ?
>
> As the following already exists:
>
> ldapmodify -Y GSSAPI <<EOF
> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
> changetype: add
> add: ipaCustomFields
> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
> EOF
>
>
> And I'm unsure about the pyton files are they are sligtly different on 4.1
>
>
> Thanks!
>
>
> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi,
>>
>> Yes I found that earlier, that looks good and even better when you
>> confirm this as really usable.
>>
>> For Samba 4 the IPA devs are very busy but I wonder indeed what
>> happends when we "need" to move because integration has been improved.
>>
>> I try to keep IPA as native as I can.
>>
>> So this is the best way to go for now, even when this thread is such
> "old" ?
>>
>> Thanks!
>>
>> Matt
>>
>>
>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
>>> Hi Matt
>>>
>>> For a "how to" of Samba FreeIPA integration using schema extensions, see
>>> this previous thread
>>>
>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>>>
>>> That should point to this techslaves article with the detailed
> instructions
>>> that we followed:
>>>
>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>>>
>>> The main reason we went that way is that we have no AD domain, which
> seems
>>> to be required by other integration paths.
>>>
>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now
> 7.x).
>>> So things may be different on Ubuntu.
>>>
>>> As always, when changing the LDAP schema, an LDAP browser like Apache
>>> Directory Studio is very useful to visualise what is going on and to
> verify
>>> if your changes are present! (and is sometime easier to manually change
>>> attributes rather than by LDAPMODIFY script....)
>>>
>>> There is another ongoing thread in this mailing list about problems with
>>> the attribute SambaPwdLastSet.
>>>
>>> Chris
>>>
>>>
>>>
>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>> To:
>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>> Date:   31.07.2015 16:58
>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>>> Sent by:        freeipa-users-bounces at redhat.com
>>>
>>>
>>>
>>> Hi,
>>>
>>> This is nice to have confirmed.
>>>
>>> Is it possible for you to descrive what you do ? It might be handy to
>>> add this to the IPA documentation also with some explanation why...
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb
> <christopher.lamb at ch.ibm.com>:
>>>> Hi
>>>>
>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the
>>>> "shares" using their FreeIPA credentials. The only password mgmt
> problem
>>>> that we have is, that the users get no notice of password expiry until
>>>> "suddenly" their Samba user (really the FreeIPA user) password is not
>>>> accepted when trying to connect to a share. Once the password is reset
>>> (via
>>>> CLI or FreeIPA WebUi), they can access the shares again.
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>> From:   Youenn PIOLET <piolet.y at gmail.com>
>>>> To:     "Matt ." <yamakasi.014 at gmail.com>
>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>> Date:   31.07.2015 16:21
>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
> IPA
>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>
>>>>
>>>>
>>>> Hi,
>>>> I asked the very same question a few weeks ago, but no answer yet.
>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>>>
>>>> The only method I see is to install samba extensions in FreeIPA's LDAP
>>>> directory, and bind samba with LDAP. There may be a lot of difficulties
>>>> with password management doing this, that's why I'd like to get a
> better
>>>> solution :)
>>>>
>>>> Anyone?
>>>>
>>>>
>>>> --
>>>> Youenn Piolet
>>>> piolet.y at gmail.com
>>>>
>>>>
>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>   Hi Guys,
>>>>
>>>>   I'm really struggeling getting a NON AD Samba server authing against
> a
>>>>   FreeIPA server:
>>>>
>>>>   Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>>>>   CentOS 7.1 -> FreeIPA 4.1
>>>>
>>>>   Now this seems to be the way:
>>>>
>>>>
>>>
> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>>
>>>>
>>>>   But as this, which I also found on the mailinglists:
>>>>
>>>>   NOTE: Only Kerberos authentication will work when accessing Samba
>>>>   shares using this method. This means that Windows clients not joined
>>>>   to Active Directory forest trusted by IPA would not be able to access
>>>>   the shares. This is related to SSSD not yet being able to handle
>>>>   NTLMSSP authentication.
>>>>
>>>>   It might not be that easy to have a Samba Shares only server.
>>>>
>>>>   Any idea here how to accomplish ?
>>>>
>>>>   Cheers,
>>>>
>>>>   Matt
>>>>
>>>>   --
>>>>   Manage your subscription for the Freeipa-users mailing list:
>>>>   https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>   Go to http://freeipa.org for more info on the project
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>

More information about the Freeipa-users mailing list