[Freeipa-users] Ubuntu Samba Server Auth against IPA

Christopher Lamb christopher.lamb at ch.ibm.com
Mon Aug 3 11:20:16 UTC 2015 

HI Matt

It looks like I skipped that step ... (And as we already had samba groups
in place, did not need to make new ones via the WebUI).

However a quick google trawled up this old thread that has a possible
answer from Peter. (I have not tested it yet myself).

https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html

Chris



From:	"Matt ." <yamakasi.014 at gmail.com>
To:
Cc:	"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date:	03.08.2015 12:45
Subject:	Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Sent by:	freeipa-users-bounces at redhat.com



In my previous reply, I ment "no group.js at all" .


2015-08-03 12:17 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
> Hi Chris,
>
> Thanks for that verification!
>
> It seems that:
>
> /usr/share/ipa/ui/group.js
>
> Is not there on IPA.4.1, also there is no .js at all on the whole system.
>
> Any idea there ?
>
> Thanks again!
>
> Matt
>
> 2015-08-03 9:53 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
>> Hi Matt
>>
>> Thankfully I saved the output from those ldapmodify commands (against
>> FreeIPA 4.1) and was able to find it again!
>>
>> In our case sambagrouptype also seems to have already been present, so
that
>> should not hurt.
>>
>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF
>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>>> changetype: add
>>> add: ipaCustomFields
>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>> EOF
>> SASL/GSSAPI authentication started
>> SASL username: lamb at MY.SILLY.EXAMPLE.COM
>> SASL SSF: 56
>> SASL data security layer installed.
>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com"
>> ldap_add: Already exists (68)
>>
>> Chris
>>
>>
>>
>>
>> From:   "Matt ." <yamakasi.014 at gmail.com>
>> To:
>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> Date:   02.08.2015 13:33
>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>> Sent by:        freeipa-users-bounces at redhat.com
>>
>>
>>
>> Chris,
>>
>> Are you doing this on 3.x or also 4.x ?
>>
>> As the following already exists:
>>
>> ldapmodify -Y GSSAPI <<EOF
>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>> changetype: add
>> add: ipaCustomFields
>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>> EOF
>>
>>
>> And I'm unsure about the pyton files are they are sligtly different on
4.1
>>
>>
>> Thanks!
>>
>>
>> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>> Hi,
>>>
>>> Yes I found that earlier, that looks good and even better when you
>>> confirm this as really usable.
>>>
>>> For Samba 4 the IPA devs are very busy but I wonder indeed what
>>> happends when we "need" to move because integration has been improved.
>>>
>>> I try to keep IPA as native as I can.
>>>
>>> So this is the best way to go for now, even when this thread is such
>> "old" ?
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>>
>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb
<christopher.lamb at ch.ibm.com>:
>>>> Hi Matt
>>>>
>>>> For a "how to" of Samba FreeIPA integration using schema extensions,
see
>>>> this previous thread
>>>>
>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>>>>
>>>> That should point to this techslaves article with the detailed
>> instructions
>>>> that we followed:
>>>>
>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>>>>
>>>> The main reason we went that way is that we have no AD domain, which
>> seems
>>>> to be required by other integration paths.
>>>>
>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now
>> 7.x).
>>>> So things may be different on Ubuntu.
>>>>
>>>> As always, when changing the LDAP schema, an LDAP browser like Apache
>>>> Directory Studio is very useful to visualise what is going on and to
>> verify
>>>> if your changes are present! (and is sometime easier to manually
change
>>>> attributes rather than by LDAPMODIFY script....)
>>>>
>>>> There is another ongoing thread in this mailing list about problems
with
>>>> the attribute SambaPwdLastSet.
>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>> To:
>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>> Date:   31.07.2015 16:58
>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> This is nice to have confirmed.
>>>>
>>>> Is it possible for you to descrive what you do ? It might be handy to
>>>> add this to the IPA documentation also with some explanation why...
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb
>> <christopher.lamb at ch.ibm.com>:
>>>>> Hi
>>>>>
>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to
the
>>>>> "shares" using their FreeIPA credentials. The only password mgmt
>> problem
>>>>> that we have is, that the users get no notice of password expiry
until
>>>>> "suddenly" their Samba user (really the FreeIPA user) password is not
>>>>> accepted when trying to connect to a share. Once the password is
reset
>>>> (via
>>>>> CLI or FreeIPA WebUi), they can access the shares again.
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>>
>>>>> From:   Youenn PIOLET <piolet.y at gmail.com>
>>>>> To:     "Matt ." <yamakasi.014 at gmail.com>
>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>> Date:   31.07.2015 16:21
>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
>> IPA
>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>> I asked the very same question a few weeks ago, but no answer yet.
>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>>>>
>>>>> The only method I see is to install samba extensions in FreeIPA's
LDAP
>>>>> directory, and bind samba with LDAP. There may be a lot of
difficulties
>>>>> with password management doing this, that's why I'd like to get a
>> better
>>>>> solution :)
>>>>>
>>>>> Anyone?
>>>>>
>>>>>
>>>>> --
>>>>> Youenn Piolet
>>>>> piolet.y at gmail.com
>>>>>
>>>>>
>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>   Hi Guys,
>>>>>
>>>>>   I'm really struggeling getting a NON AD Samba server authing
against
>> a
>>>>>   FreeIPA server:
>>>>>
>>>>>   Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>>>>>   CentOS 7.1 -> FreeIPA 4.1
>>>>>
>>>>>   Now this seems to be the way:
>>>>>
>>>>>
>>>>
>>
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>>>
>>>>>
>>>>>   But as this, which I also found on the mailinglists:
>>>>>
>>>>>   NOTE: Only Kerberos authentication will work when accessing Samba
>>>>>   shares using this method. This means that Windows clients not
joined
>>>>>   to Active Directory forest trusted by IPA would not be able to
access
>>>>>   the shares. This is related to SSSD not yet being able to handle
>>>>>   NTLMSSP authentication.
>>>>>
>>>>>   It might not be that easy to have a Samba Shares only server.
>>>>>
>>>>>   Any idea here how to accomplish ?
>>>>>
>>>>>   Cheers,
>>>>>
>>>>>   Matt
>>>>>
>>>>>   --
>>>>>   Manage your subscription for the Freeipa-users mailing list:
>>>>>   https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>   Go to http://freeipa.org for more info on the project
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>>
>>>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list