[Freeipa-users] Ubuntu Samba Server Auth against IPA

Alexander Bokovoy abokovoy at redhat.com
Fri Aug 7 21:37:03 UTC 2015 

On Fri, 07 Aug 2015, Matt . wrote:
>Hi Alexander,
>
>Yes this is know, but it's not usable yet, at least not on an Ubuntu
>Samba server as far as I know ?
>
>If so, maybe you can help us out here to clear this up how to do it.
Sorry, I cannot help you with Ubuntu setup, you need to figure it out
yourself. I did write original instructions Youenn referred to, so I
know they work well and Youenn's configuration just proves that.

Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so
against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided
Samba build this way.

Anything you would do, you'd be out of supported way -- either when you
modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos.
I don't want to spend time on digging up unsupported configuration
details when the same time could be spent on improving FreeIPA 4.2 and
bringing SSSD+Samba setup closer to where we want to have it. Maybe it
sounds harsh but we have to decide what battles we think are more
important and to me this one is more important even considering my spare
time.

>Thanks!
>
>Matt
>
>2015-08-07 23:09 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>> On Thu, 06 Aug 2015, Christopher Lamb wrote:
>>>
>>> Hi Matt
>>>
>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA
>>> integration paths.
>>>
>>> The route I took is suited where there is no Active Directory involved: In
>>> my case all the Windows, OSX and Linux clients are islands that sit on the
>>> same network.
>>>
>>> The route that Youenn has taken (unless I have got completely the wrong
>>> end
>>> of the stick) requires Active Directory in the architecture.
>>
>> Yes, you are at the wrong end of the stick. You don't need AD in the
>> architecture here. You can reuse IPA design for AD integration via trust
>> for normal Samba integration but use ipasam.so instead of ldapsam.so.
>> This is what Youenn did. The only way we don't support it (yet) is
>> because we think doing a longer term solution via SSSD and NTLMSSP
>> support is better scalability vise -- your SSSD client is already having
>> LDAP connection and is already holding identity mappings in the cache so
>> there is no need to run separate LDAP connection in smbd/winbindd for
>> that and cache the same data in a different way.
>>
>> --
>> / Alexander Bokovoy
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list