[Freeipa-users] Ubuntu Samba Server Auth against IPA
Christopher Lamb
christopher.lamb at ch.ibm.com
Thu Aug 6 15:32:16 UTC 2015
@Youenn. Thanks for the clarification. At least 3 Integration paths, so we
may end up with 3 Wiki how-tos:
@Matt I now have a throwaway VM with FreeIPA 4.1 Server installed, that I
can play around with over the next few days, but as this is "in my free
time, on the train on the way home" type activity, I don't know how fast I
will be.
From: Youenn PIOLET <piolet.y at gmail.com>
To: "Matt ." <yamakasi.014 at gmail.com>
Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
"freeipa-users at redhat.com" <freeipa-users at redhat.com>
Date: 06.08.2015 17:16
Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi,
There is no Active Directory in my solution, just freeipa adtrust
extensions - necessary to generate SIDs.
To me, there are 3 integration paths:
- ldapsam module without AD, using LDAP directly : you need samba
extensions in FreeIPA's LDAP, that's what you tried to achieve in this
thread.
- kerberos module with AD, this is the tutorial from the official
documentation
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
but it won't work on Windows if you don't have domain because of NTLM
problems
- ipasam module, the solution I used: half LDAP (to read NTHash/SID), half
Kerberos (to bind samba to the LDAP).
In all solutions, extra schemas are needed for FreeIPA directory.
`ipa-adtrust-install` can install these extensions, or you can do it
manually. I prefer the IPA automatic way to LDIF's :)
ipa-adtrust-install also generate automaticaly SID and Password Hash needed
by CIFS when you add an user or a group in FreeIPA. No need to patch
interface to generate correct attributes.
What I also understood: ipa-adtrust-install doesn't use the good old samba
extensions (with things like sambaSID, sambaGroupType, sambaSamAccount,
etc.) but new ipaNTHash/ipaNTsecurityIdentifier values. This must be the
reason why ldapsam solution doesn't work directly after a
ipa-adtrust-install. To ask CIFS service to read them instead of the
classic ones, we use ipasam.
@Matt .
You're currently trying ldapsam solution. The problem is to make FreeIPA
interface able to work with samba "good old extensions". Theses extensions
contain the classes like "sambaSamAccount" or "sambaGroupMapping". To make
CIFS able to read groups from LDAP, groups need to instanciate some samba
classes (same for users). When you instanciate the class sambaGroupMapping,
the value sambaGroupType is compulsory, but FreeIPA doesn't build the value
correctly, even with the group.js patch previously linked. I think some dev
is needed to fix this if you want to do it this way.
To my opinion, the 'ipasam' way is much more easier, and seems to be the
way redhat/devs/freeipa want to support in the future.
Cheers,
--
Youenn Piolet
piolet.y at gmail.com
2015-08-06 16:19 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
Hi Chris,
OK, than we might create two different versions of the wiki, I think
this is nice.
I'm still figuring out why I get that:
IPA Error 4205: ObjectclassViolation
missing attribute "sambaGroupType" required by object class
"sambaGroupMapping"
Matt
2015-08-06 16:09 GMT+02:00 Christopher Lamb <christopher.lamb at ch.ibm.com
>:
> Hi Matt
>
> As far as I can make out, there are at least 2 viable Samba / FreeIPA
> integration paths.
>
> The route I took is suited where there is no Active Directory involved:
In
> my case all the Windows, OSX and Linux clients are islands that sit on
the
> same network.
>
> The route that Youenn has taken (unless I have got completely the wrong
end
> of the stick) requires Active Directory in the architecture.
>
> Chris
>
>
>
> From: "Matt ." <yamakasi.014 at gmail.com>
> To: Youenn PIOLET <piolet.y at gmail.com>
> Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
> "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Date: 06.08.2015 14:42
> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA
>
>
>
> Hi,
>
> OK, this sounds already quite logical, but I'm still refering to the
> old howto we found earlier, does that one still apply somewhere or not
> at all ?
>
> Thanks,
>
> Matt
>
>
>
> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET <piolet.y at gmail.com>:
>> Hey guys,
>>
>> I'll try to make a tutorial soon, sorry I'm quite in a rush these
days :)
>>
>> General idea:
>>
>> On FreeIPA (4.1)
>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
>> attribude, also known as SID)
>> - regenerate each user password to build ipaNTHash attribute, not here
by
>> default on users
>> - use your ldap browser to check ipaNTHash values are here on user
> objects
>> - create a CIFS service for your samba server
>> - Create user roles/permissions as described here:
>>
>
http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
>
>> so that CIFS service will be able to read ipaNTsecurityidentifier and
>> ipaNTHash attributes in LDAP (ACI)
>> - SCP ipasam.so module to your cifs server (this is the magic trick) :
> scp
>> /usr/lib64/samba/pdb/ipasam.so
>> root at samba-server.domain:/usr/lib64/samba/pdb/ You can also try to
> recompile
>> it.
>>
>> On SAMBA Server side (CentOS 7...)
>> - Install server keytab file for CIFS
>> - check ipasam.so is here.
>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI
>> uid=admin ipaNTHash` thanks to kerberos
>> - make your smb.conf following the linked thread and restart service
>>
>> I don't know if it works in Ubuntu. I know sssd has evolved quickly
and
>> ipasam may use quite recent functionalities, the best is to just try.
You
>> can read in previous thread : "If you insist on Ubuntu you need to get
>> ipasam somewhere, most likely to compile it yourself".
>>
>> Make sure your user has ipaNTHash attribute :)
>>
>> You may want to debug authentication on samba server, I usually do
this:
>> `tail -f /var/log/samba/log* | grep <username>
>>
>> Cheers
>> --
>> Youenn Piolet
>> piolet.y at gmail.com
>>
>>
>> 2015-08-05 17:40 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>>
>>> Hi,
>>>
>>> This sounds great to me too, but a howto would help to make it more
>>> clear about what you have done here. The thread confuses me a little
>>> bit.
>>>
>>> Can you paste your commands so we can test out too and report back ?
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb
> <christopher.lamb at ch.ibm.com>:
>>> > Hi Youenn
>>> >
>>> > Good news that you have got an integration working
>>> >
>>> > Now you have got it going, and the solution is fresh in your mind,
how
>>> > about adding a How-to page on this solution to the FreeIPA wiki?
>>> >
>>> > Chris
>>> >
>>> >
>>> >
>>> > From: Youenn PIOLET <piolet.y at gmail.com>
>>> > To: "Matt ." <yamakasi.014 at gmail.com>
>>> > Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
>>> > "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>> > Date: 05.08.2015 14:51
>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
against
> IPA
>>> >
>>> >
>>> >
>>> > Hi guys,
>>> >
>>> > Thank you so much your previous answers.
>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks to
>>> > ipa-adtrust-install --add-sids
>>> >
>>> > I found an other way to configure smb here:
>>> >
>>> >
>
http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa
>
>>> > It works perfectly.
>>> >
>>> > I'm using module ipasam.so I have manually scp to the samba server,
>>> > Samba is set to use kerberos + ldapsam via this ipasam module.
>>> > Following the instructions, I created a user role allowing service
>>> > principal to read ipaNTHash value from the LDAP.
>>> > ipaNTHash are generated each time a user changes his password.
>>> > Authentication works perfectly on Windows 7, 8 and 10.
>>> >
>>> > For more details, the previously linked thread is quite clear.
>>> >
>>> > Cheers
>>> >
>>> > --
>>> > Youenn Piolet
>>> > piolet.y at gmail.com
>>> >
>>> >
>>> > 2015-08-05 11:10 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>> > Hi Chris.
>>> >
>>> > Yes, Apache Studio did that but I was not sure why it complained
it
>>> > was "already" there.
>>> >
>>> > I'm still getting:
>>> >
>>> > IPA Error 4205: ObjectclassViolation
>>> >
>>> > missing attribute "sambaGroupType" required by object class
>>> > "sambaGroupMapping"
>>> >
>>> > When adding a user.
>>> >
>>> > I also see "class" as fielname under my "Last name", this is not
OK
>>> > also.
>>> >
>>> >
>>> >
>>> > We sure need to make some howto, I think we can nail this down :)
>>> >
>>> > Thanks for the heads up!
>>> >
>>> > Matthijs
>>> >
>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb
>>> > <christopher.lamb at ch.ibm.com>:
>>> > > Hi Matt
>>> > >
>>> > > If I use Apache Directory Studio to add an attribute
> ipaCustomFields
>>> > to
>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as
> shown
>>> > below:
>>> > >
>>> > > #!RESULT OK
>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy
>>> > > #!DATE 2015-08-05T05:45:04.608
>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com
>>> > > changetype: modify
>>> > > add: ipaCustomFields
>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true
>>> > >
>>> > > After that I then have a visible attribute ipaCustomFields as
>>> > expected.
>>> > >
>>> > > When adding the attribute, the wizard offered me
"ipaCustomFields"
>>> > as
>>> > > attribute type in a drop down list.
>>> > >
>>> > > Once we get this cracked, we really must write a how-to on the
>>> > FreeIPA
>>> > > Wiki.
>>> > >
>>> > > Chris
>>> > >
>>> > >
>>> > >
>>> > > From: Christopher Lamb/Switzerland/IBM at IBMCH
>>> > > To: "Matt ." <yamakasi.014 at gmail.com>
>>> > > Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>> > > Date: 05.08.2015 07:31
>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
> against
>>> > IPA
>>> > > Sent by: freeipa-users-bounces at redhat.com
>>> > >
>>> > >
>>> > >
>>> > > Hi Matt
>>> > >
>>> > > I also got the same result at that step, but can see nothing in
>>> > Apache
>>> > > Directory Studio.
>>> > >
>>> > > As I am using existing Samba / FreeIPA groups migrated across,
> they
>>> > > probably were migrated with all the required attributes.
>>> > >
>>> > > Looking more closely at that LDIF: I wonder should it not be:
>>> > >
>>> > > ldapmodify -Y GSSAPI <<EOF
>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>>> > > changetype: modify
>>> > > add: ipaCustomFields
>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>> > > EOF
>>> > >
>>> > > i.e. changetype: modify, instead of changetype add ?
>>> > >
>>> > > I don't want to play around with my prod directory - I will
setup
> an
>>> > EL
>>> > 7.1
>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to
> play
>>> > around
>>> > > more destructively.
>>> > >
>>> > > Chris
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > From: "Matt ." <yamakasi.014 at gmail.com>
>>> > > To: Christopher Lamb/Switzerland/IBM at IBMCH
>>> > > Cc: Youenn PIOLET <piolet.y at gmail.com>, "
>>> > freeipa-users at redhat.com"
>>> > > <freeipa-users at redhat.com>
>>> > > Date: 05.08.2015 01:01
>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba
Server
>>> > Auth
>>> > against IPA
>>> > >
>>> > >
>>> > >
>>> > > Hi Chris,
>>> > >
>>> > > I'm at the right path, but my issue is that:
>>> > >
>>> > > ldapmodify -Y GSSAPI <<EOF
>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
>>> > > changetype: add
>>> > > add: ipaCustomFields
>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true"
>>> > > EOF
>>> > >
>>> > > Does say it exists, my ldap explorer doesn't show it, and when
I
> add
>>> > > it manually as an attribute it still fails when I add a user on
> this
>>> > > sambagrouptype as it's needed by the other attributes
>>> > >
>>> > > So that is my issue I think so far.
>>> > >
>>> > > Any clue about that ?
>>> > >
>>> > > No problem "you don't know something or are no guru" we are all
>>> > > learning! :)
>>> > >
>>> > > Cheers,
>>> > >
>>> > > Matt
>>> > >
>>> > >
>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb <
>>> > christopher.lamb at ch.ibm.com>:
>>> > >> Hi Matt, Youeen
>>> > >>
>>> > >> Just to set the background properly, I did not invent this
> process.
>>> > I
>>> > > know
>>> > >> only a little about FreeIPA, and almost nothing about Samba,
but
> I
>>> > guess
>>> > > I
>>> > >> was lucky enough to get the integration working on a Sunday
>>> > afternoon.
>>> > (I
>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a
>>> > reference).
>>> > >>
>>> > >> It sounds like we need to step back, and look at the test user
> and
>>> > group
>>> > > in
>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes this
> much
>>> > > easier.
>>> > >>
>>> > >> My FreeIPA / Samba Users have the following Samba extensions
in
>>> > FreeIPA
>>> > >> (cn=accounts, cn=users):
>>> > >>
>>> > >> * objectClass: sambasamaccount
>>> > >>
>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet
>>> > >>
>>> > >> My FreeIPA / Samba Groups have the following Samba extensions
in
>>> > FreeIPA
>>> > >> (cn=accounts, cn=groups):
>>> > >>
>>> > >> * objectClass: sambaGroupMapping
>>> > >>
>>> > >> * Attributes: sambaGroupType, sambaSID
>>> > >>
>>> > >> The Users must belong to one or more of the samba groups that
you
>>> > have
>>> > >> setup.
>>> > >>
>>> > >> If you don't have something similar to the above (which sounds
> like
>>> > it
>>> > is
>>> > >> the case), then something went wrong applying the extensions.
It
>>> > would
>>> > be
>>> > >> worth testing comparing a new user / group created post adding
> the
>>> > >> extensions to a previous existing user.
>>> > >>
>>> > >> i.e.
>>> > >> are the extensions missing on existing users / groups?
>>> > >> are the extensions missing on new users / groups?
>>> > >>
>>> > >> Cheers
>>> > >>
>>> > >> Chris
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >> From: Youenn PIOLET <piolet.y at gmail.com>
>>> > >> To: "Matt ." <yamakasi.014 at gmail.com>
>>> > >> Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
>>> > >> "freeipa-users at redhat.com" <
freeipa-users at redhat.com>
>>> > >> Date: 04.08.2015 18:56
>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth
>>> > against
>>> > IPA
>>> > >>
>>> > >>
>>> > >>
>>> > >> Hi there,
>>> > >>
>>> > >> I have difficulties to follow you at this point :)
>>> > >> Here is what I've done and what I've understood:
>>> > >>
>>> > >> ## SMB Side
>>> > >> - Testparm OK
>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to
connect.
>>> > >> - pdbedit -Lv output is all successfull but I can see there is
a
>>> > filter :
>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users
don't
>>> > have
>>> > >> sambaSamAccount.
>>> > >>
>>> > >> ## LDAP / FreeIPA side
>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my
>>> > FreeIPA
>>> > >> server to get samba LDAP extensions.
>>> > >> - I can see samba classes exist in LDAP but are not used on my
>>> > group
>>> > >> objects nor my user objects
>>> > >> - I have add sambaSamAccount in FreeIPA default user classes,
>>> > >> and sambaGroupMapping to default group classes. In that state
I
>>> > can't
>>> > >> create user nor groups anymore, as new samba attributes are
> needed
>>> > for
>>> > >> instantiation.
>>> > >> - I have add in etc ipaCustomFields: 'Samba Group
>>> > > Type,sambagrouptype,true'
>>> > >> but I don't get what it does.
>>> > >> - I tried to add the samba.js plugin. It works, and adds the
>>> > "local"
>>> > > option
>>> > >> when creating a group in FreeIPA, supposed to set
sambagrouptype
> to
>>> > 4
>>> > or
>>> > > 2
>>> > >> (domain). It doesn't work and tells that sambagrouptype
attribute
>>> > doesn't
>>> > >> exist (but it should now I put sambaGroupType class by
> default...)
>>> > >>
>>> > >> ## Questions
>>> > >> 0) Can I ask samba not to search sambaSamAccount and use
unix /
>>> > posix
>>> > >> instead? I guess no.
>>> > >> 1) How to generate the user/group SIDs ? They are requested to
> add
>>> > >> sambaSamAccount classes.
>>> > >> This article doesn't seem relevant since we don't use domain
>>> > controller
>>> > >>
>>> > >
>>> >
>>> >
>
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
>>> >
>>> > >> and netgetlocalsid returns an error.
>>> > >> 2) How to fix samba.js plugin?
>>> > >> 3) I guess an equivalent of samba.js is needed for user
creation,
>>> > where
>>> > > can
>>> > >> I find it?
>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not
only
>>> > Windows
>>> > >> 7?
>>> > >>
>>> > >> Thanks a lot for your previous and future answers
>>> > >>
>>> > >> --
>>> > >> Youenn Piolet
>>> > >> piolet.y at gmail.com
>>> > >>
>>> > >>
>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>>> > >> Hi,
>>> > >>
>>> > >> Yes, log is anonymised.
>>> > >>
>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also
when
> I
>>> > >> change it's password it doesn't get it in ldap.
>>> > >>
>>> > >> There must be something going wrong I guess.
>>> > >>
>>> > >> Matt
>>> > >>
>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb
>>> > > <christopher.lamb at ch.ibm.com
>>> > >> >:
>>> > >> > Hi Matt
>>> > >> >
>>> > >> > I assume [username] is a real username, identical to that
in
>>> > the
>>> > >> FreeIPA
>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log
>>> > extract).
>>> > >> >
>>> > >> > You user should be a member of the appropriate samba
groups
>>> > that
>>> > you
>>> > >> setup
>>> > >> > in FreeIPA.
>>> > >> >
>>> > >> > You should check that the user attribute SambaPwdLastSet
is
> set
>>> > to
>>> > a
>>> > >> > positive value (e.g. 1). If not you get an error in the
Samba
>>> > logs
>>> > -
>>> > > I
>>> > >> > would need to play around again with a test user to find
out
>>> > the
>>> > > exact
>>> > >> > error.
>>> > >> >
>>> > >> > I don't understand what you mean about syncing the users
> local,
>>> > but
>>> > > we
>>> > >> did
>>> > >> > not need to do anything like that.
>>> > >> >
>>> > >> > Chris
>>> > >> >
>>> > >> >
>>> > >> >
>>> > >> >
>>> > >> > From: "Matt ." <yamakasi.014 at gmail.com>
>>> > >> > To: Christopher Lamb/Switzerland/IBM at IBMCH
>>> > >> > Cc: "freeipa-users at redhat.com" <
freeipa-users at redhat.com>
>>> > >> > Date: 04.08.2015 15:33
>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server
Auth
>>> > against
>>> > >> IPA
>>> > >> >
>>> > >> >
>>> > >> >
>>> > >> > Hi Chris,
>>> > >> >
>>> > >> > A puppet run added another passdb backend, that was
causing
> my
>>> > issue.
>>> > >> >
>>> > >> > What I still experience is:
>>> > >> >
>>> > >> >
>>> > >> > [2015/08/04 15:29:45.477783, 3]
>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security)
>>> > >> > check_sam_security: Couldn't find user 'username' in
> passdb.
>>> > >> > [2015/08/04 15:29:45.478026, 2]
>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password)
>>> > >> > check_ntlm_password: Authentication for user [username]
->
>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER
>>> > >> >
>>> > >> >
>>> > >> > I also wonder if I shall still sync the users local, or is
it
>>> > > needed ?
>>> > >> >
>>> > >> > Thanks again,
>>> > >> >
>>> > >> > Matt
>>> > >> >
>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb <
>>> > >> christopher.lamb at ch.ibm.com>:
>>> > >> >> Hi Matt
>>> > >> >>
>>> > >> >> From our smb.conf file:
>>> > >> >>
>>> > >> >> [global]
>>> > >> >> security = user
>>> > >> >> passdb backend =
>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com
>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com
>>> > >> >> ldap admin dn = cn=Directory Manager
>>> > >> >>
>>> > >> >> So yes, we use Directory Manager, it works for us. I have
> not
>>> > tried
>>> > >> with
>>> > >> > a
>>> > >> >> less powerful user, but it is conceivable that a lesser
user
>>> > may
>>> > not
>>> > >> see
>>> > >> >> all the required attributes, resulting in "no such user"
>>> > errors.
>>> > >> >>
>>> > >> >> Chris
>>> > >> >>
>>> > >> >>
>>> > >> >>
>>> > >> >>
>>> > >> >> From: "Matt ." <yamakasi.014 at gmail.com>
>>> > >> >> To: Christopher Lamb/Switzerland/IBM at IBMCH
>>> > >> >> Cc: "freeipa-users at redhat.com"
> <freeipa-users at redhat.com>
>>> > >> >> Date: 04.08.2015 13:32
>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server
Auth
>>> > against
>>> > >> IPA
>>> > >> >>
>>> > >> >>
>>> > >> >>
>>> > >> >> Hi Chris,
>>> > >> >>
>>> > >> >> Thanks for the heads up, indeed local is 4 I see now when
I
>>> > add a
>>> > >> >> group from the GUI, great thanks!
>>> > >> >>
>>> > >> >> But do you use Directory Manager as ldap admin user or
some
>>> > other
>>> > >> >> admin account ?
>>> > >> >>
>>> > >> >> I'm not sure id DM is needed and it should get that deep
> into
>>> > IPA.
>>> > >> >> Also when starting samba it cannot find "such user" as
that
>>> > sounds
>>> > >> >> quite known as it has no UID.
>>> > >> >>
>>> > >> >> From your config I see you use DM, this should work ?
>>> > >> >>
>>> > >> >> Thanks!
>>> > >> >>
>>> > >> >>
>>> > >> >> Matt
>>> > >> >>
>>> > >> >>
>>> > >> >
>>> > >> >
>>> > >> >
>>> > >> >
>>> > >>
>>> > >> --
>>> > >> Manage your subscription for the Freeipa-users mailing list:
>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > >> Go to http://freeipa.org for more info on the project
>>> > >>
>>> > >>
>>> > >>
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > Manage your subscription for the Freeipa-users mailing list:
>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > Go to http://freeipa.org for more info on the project
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> > --
>>> > Manage your subscription for the Freeipa-users mailing list:
>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > Go to http://freeipa.org for more info on the project
>>> >
>>> >
>>> >
>>
>>
>
>
>
>
More information about the Freeipa-users
mailing list