[Freeipa-users] Ubuntu Samba Server Auth against IPA

Christopher Lamb christopher.lamb at ch.ibm.com
Mon Aug 3 15:17:49 UTC 2015 

Hi Matt

It sounds like you now have prepared FreeIPA for Samba

I assume you have already configured Samba to authenticate via FreeIPA
(changes to the [global] section of your smb.conf file, secrets.tdb etc.

Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups,
with SambaGroupType = 4)

For example:

In FreeIPA under cn=accounts, cn=users we have a group called "smb-junit".

This group has (among others) the attribute SambaGroupType = 4

We can then use the name of the group in the smb.conf file

[junit]
	comment = JUnit Share
	path = /samba/junit
	browseable = no
      	valid users = @smb-junit
         write list = @smb-junit
         force group = smb-junit
	create mask = 0770


Ciao

Chris



From:	"Matt ." <yamakasi.014 at gmail.com>
To:	Christopher Lamb/Switzerland/IBM at IBMCH
Cc:	"freeipa-users at redhat.com" <freeipa-users at redhat.com>, Petr
            Vobornik <pvoborni at redhat.com>
Date:	03.08.2015 16:03
Subject:	Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



Hi,

OK, I have a Samba Group Type now in my groups details list and also
in the groups settings tab.

I'm not 100% how this is managed. I have Grouptype 4, in the groups
overview it's still empty. But how to manage this between samba and
ipa ? What should be the reference between the group(names) ?

Thanks again!

Matt

2015-08-03 13:20 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com>:
> HI Matt
>
> It looks like I skipped that step ... (And as we already had samba groups
> in place, did not need to make new ones via the WebUI).
>
> However a quick google trawled up this old thread that has a possible
> answer from Peter. (I have not tested it yet myself).
>
> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html
>
> Chris
>
>
>
> From:   "Matt ." <yamakasi.014 at gmail.com>
> To:
> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Date:   03.08.2015 12:45
> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
> Sent by:        freeipa-users-bounces at redhat.com
>
>
>
> In my previous reply, I ment "no group.js at all" .
>
>
> 2015-08-03 12:17 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Chris,
>>
>> Thanks for that verification!
>>
>> It seems that:
>>
>> /usr/share/ipa/ui/group.js
>>
>> Is not there on IPA.4.1, also there is no .js at all on the whole
system.
>>
>> Any idea there ?
>>
>> Thanks again!
>>
>> Matt
>>
>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb
<christopher.lamb at ch.ibm.com>:
>>> Hi Matt
>>>
>>> Thankfully I saved the output from those ldapmodify commands (against
>>> FreeIPA 4.1) and was able to find it again!
>>>
>>> In our case sambagrouptype also seems to have already been present, so
> that
>>> should not hurt.
>>>
>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF
>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>>>> changetype: add
>>>> add: ipaCustomFields
>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>>> EOF
>>> SASL/GSSAPI authentication started
>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com"
>>> ldap_add: Already exists (68)
>>>
>>> Chris
>>>
>>>
>>>
>>>
>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>> To:
>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>> Date:   02.08.2015 13:33
>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>>> Sent by:        freeipa-users-bounces at redhat.com
>>>
>>>
>>>
>>> Chris,
>>>
>>> Are you doing this on 3.x or also 4.x ?
>>>
>>> As the following already exists:
>>>
>>> ldapmodify -Y GSSAPI <<EOF
>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>>> changetype: add
>>> add: ipaCustomFields
>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>> EOF
>>>
>>>
>>> And I'm unsure about the pyton files are they are sligtly different on
> 4.1
>>>
>>>
>>> Thanks!
>>>
>>>
>>> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>> Hi,
>>>>
>>>> Yes I found that earlier, that looks good and even better when you
>>>> confirm this as really usable.
>>>>
>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what
>>>> happends when we "need" to move because integration has been improved.
>>>>
>>>> I try to keep IPA as native as I can.
>>>>
>>>> So this is the best way to go for now, even when this thread is such
>>> "old" ?
>>>>
>>>> Thanks!
>>>>
>>>> Matt
>>>>
>>>>
>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb
> <christopher.lamb at ch.ibm.com>:
>>>>> Hi Matt
>>>>>
>>>>> For a "how to" of Samba FreeIPA integration using schema extensions,
> see
>>>>> this previous thread
>>>>>
>>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>>>>>
>>>>> That should point to this techslaves article with the detailed
>>> instructions
>>>>> that we followed:
>>>>>
>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>>>>>
>>>>> The main reason we went that way is that we have no AD domain, which
>>> seems
>>>>> to be required by other integration paths.
>>>>>
>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now
>>> 7.x).
>>>>> So things may be different on Ubuntu.
>>>>>
>>>>> As always, when changing the LDAP schema, an LDAP browser like Apache
>>>>> Directory Studio is very useful to visualise what is going on and to
>>> verify
>>>>> if your changes are present! (and is sometime easier to manually
> change
>>>>> attributes rather than by LDAPMODIFY script....)
>>>>>
>>>>> There is another ongoing thread in this mailing list about problems
> with
>>>>> the attribute SambaPwdLastSet.
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>>
>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>> To:
>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>> Date:   31.07.2015 16:58
>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
> IPA
>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> This is nice to have confirmed.
>>>>>
>>>>> Is it possible for you to descrive what you do ? It might be handy to
>>>>> add this to the IPA documentation also with some explanation why...
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb
>>> <christopher.lamb at ch.ibm.com>:
>>>>>> Hi
>>>>>>
>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to
> the
>>>>>> "shares" using their FreeIPA credentials. The only password mgmt
>>> problem
>>>>>> that we have is, that the users get no notice of password expiry
> until
>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is
not
>>>>>> accepted when trying to connect to a share. Once the password is
> reset
>>>>> (via
>>>>>> CLI or FreeIPA WebUi), they can access the shares again.
>>>>>>
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>>> From:   Youenn PIOLET <piolet.y at gmail.com>
>>>>>> To:     "Matt ." <yamakasi.014 at gmail.com>
>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>> Date:   31.07.2015 16:21
>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
>>> IPA
>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>> I asked the very same question a few weeks ago, but no answer yet.
>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>>>>>
>>>>>> The only method I see is to install samba extensions in FreeIPA's
> LDAP
>>>>>> directory, and bind samba with LDAP. There may be a lot of
> difficulties
>>>>>> with password management doing this, that's why I'd like to get a
>>> better
>>>>>> solution :)
>>>>>>
>>>>>> Anyone?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Youenn Piolet
>>>>>> piolet.y at gmail.com
>>>>>>
>>>>>>
>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>   Hi Guys,
>>>>>>
>>>>>>   I'm really struggeling getting a NON AD Samba server authing
> against
>>> a
>>>>>>   FreeIPA server:
>>>>>>
>>>>>>   Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>>>>>>   CentOS 7.1 -> FreeIPA 4.1
>>>>>>
>>>>>>   Now this seems to be the way:
>>>>>>
>>>>>>
>>>>>
>>>
>
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>>>>
>>>>>>
>>>>>>   But as this, which I also found on the mailinglists:
>>>>>>
>>>>>>   NOTE: Only Kerberos authentication will work when accessing Samba
>>>>>>   shares using this method. This means that Windows clients not
> joined
>>>>>>   to Active Directory forest trusted by IPA would not be able to
> access
>>>>>>   the shares. This is related to SSSD not yet being able to handle
>>>>>>   NTLMSSP authentication.
>>>>>>
>>>>>>   It might not be that easy to have a Samba Shares only server.
>>>>>>
>>>>>>   Any idea here how to accomplish ?
>>>>>>
>>>>>>   Cheers,
>>>>>>
>>>>>>   Matt
>>>>>>
>>>>>>   --
>>>>>>   Manage your subscription for the Freeipa-users mailing list:
>>>>>>   https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>   Go to http://freeipa.org for more info on the project
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>

More information about the Freeipa-users mailing list