[Freeipa-users] Ubuntu Samba Server Auth against IPA

Christopher Lamb christopher.lamb at ch.ibm.com
Tue Aug 4 12:16:41 UTC 2015 

Hi Matt

>From our smb.conf file:

[global]
   security = user
   passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
   ldap suffix = dc=my,dc=silly,dc=example,dc=com
   ldap admin dn = cn=Directory Manager

So yes, we use Directory Manager, it works for us. I have not tried with a
less powerful user, but it is conceivable that a lesser user may not see
all the required attributes, resulting in "no such user" errors.

Chris




From:	"Matt ." <yamakasi.014 at gmail.com>
To:	Christopher Lamb/Switzerland/IBM at IBMCH
Cc:	"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date:	04.08.2015 13:32
Subject:	Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA



Hi Chris,

Thanks for the heads up, indeed local is 4 I see now when I add a
group from the GUI, great thanks!

But do you use Directory Manager as ldap admin user or some other
admin account ?

I'm not sure id DM is needed and it should get that deep into IPA.
Also when starting samba it cannot find "such user" as that sounds
quite known as it has no UID.

>From your config I see you use DM, this should work ?

Thanks!


Matt

2015-08-04 13:15 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
> Hi Chris,
>
> Thanks for the heads up, indeed local is 4 I see now when I add a
> group from the GUI, great thanks!
>
> But do you use Directory Manager as ldap admin user or some other
> admin account ?
>
> I'm not sure id DM is needed and it should get that deep into IPA.
> Also when starting samba it cannot find "such user" as that sounds
> quite known as it has no UID.
>
> From your config I see you use DM, this should work ?
>
> Thanks!
>
> Matt
>
> 2015-08-03 17:17 GMT+02:00 Christopher Lamb
<christopher.lamb at ch.ibm.com>:
>> Hi Matt
>>
>> It sounds like you now have prepared FreeIPA for Samba
>>
>> I assume you have already configured Samba to authenticate via FreeIPA
>> (changes to the [global] section of your smb.conf file, secrets.tdb etc.
>>
>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups,
>> with SambaGroupType = 4)
>>
>> For example:
>>
>> In FreeIPA under cn=accounts, cn=users we have a group called
"smb-junit".
>>
>> This group has (among others) the attribute SambaGroupType = 4
>>
>> We can then use the name of the group in the smb.conf file
>>
>> [junit]
>>         comment = JUnit Share
>>         path = /samba/junit
>>         browseable = no
>>         valid users = @smb-junit
>>          write list = @smb-junit
>>          force group = smb-junit
>>         create mask = 0770
>>
>>
>> Ciao
>>
>> Chris
>>
>>
>>
>> From:   "Matt ." <yamakasi.014 at gmail.com>
>> To:     Christopher Lamb/Switzerland/IBM at IBMCH
>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>, Petr
>>             Vobornik <pvoborni at redhat.com>
>> Date:   03.08.2015 16:03
>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>>
>>
>>
>> Hi,
>>
>> OK, I have a Samba Group Type now in my groups details list and also
>> in the groups settings tab.
>>
>> I'm not 100% how this is managed. I have Grouptype 4, in the groups
>> overview it's still empty. But how to manage this between samba and
>> ipa ? What should be the reference between the group(names) ?
>>
>> Thanks again!
>>
>> Matt
>>
>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb
<christopher.lamb at ch.ibm.com>:
>>> HI Matt
>>>
>>> It looks like I skipped that step ... (And as we already had samba
groups
>>> in place, did not need to make new ones via the WebUI).
>>>
>>> However a quick google trawled up this old thread that has a possible
>>> answer from Peter. (I have not tested it yet myself).
>>>
>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html
>>>
>>> Chris
>>>
>>>
>>>
>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>> To:
>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>> Date:   03.08.2015 12:45
>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>>> Sent by:        freeipa-users-bounces at redhat.com
>>>
>>>
>>>
>>> In my previous reply, I ment "no group.js at all" .
>>>
>>>
>>> 2015-08-03 12:17 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>> Hi Chris,
>>>>
>>>> Thanks for that verification!
>>>>
>>>> It seems that:
>>>>
>>>> /usr/share/ipa/ui/group.js
>>>>
>>>> Is not there on IPA.4.1, also there is no .js at all on the whole
>> system.
>>>>
>>>> Any idea there ?
>>>>
>>>> Thanks again!
>>>>
>>>> Matt
>>>>
>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb
>> <christopher.lamb at ch.ibm.com>:
>>>>> Hi Matt
>>>>>
>>>>> Thankfully I saved the output from those ldapmodify commands (against
>>>>> FreeIPA 4.1) and was able to find it again!
>>>>>
>>>>> In our case sambagrouptype also seems to have already been present,
so
>>> that
>>>>> should not hurt.
>>>>>
>>>>> [root at xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF
>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>>>>>> changetype: add
>>>>>> add: ipaCustomFields
>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>>>>> EOF
>>>>> SASL/GSSAPI authentication started
>>>>> SASL username: lamb at MY.SILLY.EXAMPLE.COM
>>>>> SASL SSF: 56
>>>>> SASL data security layer installed.
>>>>> adding new entry
"cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com"
>>>>> ldap_add: Already exists (68)
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>> To:
>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>> Date:   02.08.2015 13:33
>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
>> IPA
>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>
>>>>>
>>>>>
>>>>> Chris,
>>>>>
>>>>> Are you doing this on 3.x or also 4.x ?
>>>>>
>>>>> As the following already exists:
>>>>>
>>>>> ldapmodify -Y GSSAPI <<EOF
>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>>>>> changetype: add
>>>>> add: ipaCustomFields
>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>>>> EOF
>>>>>
>>>>>
>>>>> And I'm unsure about the pyton files are they are sligtly different
on
>>> 4.1
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>> Hi,
>>>>>>
>>>>>> Yes I found that earlier, that looks good and even better when you
>>>>>> confirm this as really usable.
>>>>>>
>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what
>>>>>> happends when we "need" to move because integration has been
improved.
>>>>>>
>>>>>> I try to keep IPA as native as I can.
>>>>>>
>>>>>> So this is the best way to go for now, even when this thread is such
>>>>> "old" ?
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>>
>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb
>>> <christopher.lamb at ch.ibm.com>:
>>>>>>> Hi Matt
>>>>>>>
>>>>>>> For a "how to" of Samba FreeIPA integration using schema
extensions,
>>> see
>>>>>>> this previous thread
>>>>>>>
>>>>>>>
https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
>>>>>>>
>>>>>>> That should point to this techslaves article with the detailed
>>>>> instructions
>>>>>>> that we followed:
>>>>>>>
>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>>>>>>>
>>>>>>> The main reason we went that way is that we have no AD domain,
which
>>>>> seems
>>>>>>> to be required by other integration paths.
>>>>>>>
>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x,
now
>>>>> 7.x).
>>>>>>> So things may be different on Ubuntu.
>>>>>>>
>>>>>>> As always, when changing the LDAP schema, an LDAP browser like
Apache
>>>>>>> Directory Studio is very useful to visualise what is going on and
to
>>>>> verify
>>>>>>> if your changes are present! (and is sometime easier to manually
>>> change
>>>>>>> attributes rather than by LDAPMODIFY script....)
>>>>>>>
>>>>>>> There is another ongoing thread in this mailing list about problems
>>> with
>>>>>>> the attribute SambaPwdLastSet.
>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> From:   "Matt ." <yamakasi.014 at gmail.com>
>>>>>>> To:
>>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>>> Date:   31.07.2015 16:58
>>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth
against
>>> IPA
>>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> This is nice to have confirmed.
>>>>>>>
>>>>>>> Is it possible for you to descrive what you do ? It might be handy
to
>>>>>>> add this to the IPA documentation also with some explanation why...
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb
>>>>> <christopher.lamb at ch.ibm.com>:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect
to
>>> the
>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt
>>>>> problem
>>>>>>>> that we have is, that the users get no notice of password expiry
>>> until
>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is
>> not
>>>>>>>> accepted when trying to connect to a share. Once the password is
>>> reset
>>>>>>> (via
>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again.
>>>>>>>>
>>>>>>>> Chris
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> From:   Youenn PIOLET <piolet.y at gmail.com>
>>>>>>>> To:     "Matt ." <yamakasi.014 at gmail.com>
>>>>>>>> Cc:     "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>>>>>> Date:   31.07.2015 16:21
>>>>>>>> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth
against
>>>>> IPA
>>>>>>>> Sent by:        freeipa-users-bounces at redhat.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>> I asked the very same question a few weeks ago, but no answer yet.
>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174
>>>>>>>>
>>>>>>>> The only method I see is to install samba extensions in FreeIPA's
>>> LDAP
>>>>>>>> directory, and bind samba with LDAP. There may be a lot of
>>> difficulties
>>>>>>>> with password management doing this, that's why I'd like to get a
>>>>> better
>>>>>>>> solution :)
>>>>>>>>
>>>>>>>> Anyone?
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Youenn Piolet
>>>>>>>> piolet.y at gmail.com
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>   Hi Guys,
>>>>>>>>
>>>>>>>>   I'm really struggeling getting a NON AD Samba server authing
>>> against
>>>>> a
>>>>>>>>   FreeIPA server:
>>>>>>>>
>>>>>>>>   Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5
>>>>>>>>   CentOS 7.1 -> FreeIPA 4.1
>>>>>>>>
>>>>>>>>   Now this seems to be the way:
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>
>>
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>>>>>>
>>>>>>>>
>>>>>>>>   But as this, which I also found on the mailinglists:
>>>>>>>>
>>>>>>>>   NOTE: Only Kerberos authentication will work when accessing
Samba
>>>>>>>>   shares using this method. This means that Windows clients not
>>> joined
>>>>>>>>   to Active Directory forest trusted by IPA would not be able to
>>> access
>>>>>>>>   the shares. This is related to SSSD not yet being able to handle
>>>>>>>>   NTLMSSP authentication.
>>>>>>>>
>>>>>>>>   It might not be that easy to have a Samba Shares only server.
>>>>>>>>
>>>>>>>>   Any idea here how to accomplish ?
>>>>>>>>
>>>>>>>>   Cheers,
>>>>>>>>
>>>>>>>>   Matt
>>>>>>>>
>>>>>>>>   --
>>>>>>>>   Manage your subscription for the Freeipa-users mailing list:
>>>>>>>>   https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>   Go to http://freeipa.org for more info on the project
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>>
>>
>>
>>
>>

More information about the Freeipa-users mailing list