[Freeipa-users] Ubuntu Samba Server Auth against IPA

Matt . yamakasi.014 at gmail.com
Fri Aug 7 21:49:24 UTC 2015 

Hi Alexander,

Yes I'm on the same path, but for now I would like to get it working
on Ubuntu for the time being.

Are you sure Ubuntu is no MIT ? We have discusses that some time ago
on IRC and it seemed to be that Ubuntu was build against MIT.

Cheers,

Matt

2015-08-07 23:37 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Fri, 07 Aug 2015, Matt . wrote:
>>
>> Hi Alexander,
>>
>> Yes this is know, but it's not usable yet, at least not on an Ubuntu
>> Samba server as far as I know ?
>>
>> If so, maybe you can help us out here to clear this up how to do it.
>
> Sorry, I cannot help you with Ubuntu setup, you need to figure it out
> yourself. I did write original instructions Youenn referred to, so I
> know they work well and Youenn's configuration just proves that.
>
> Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so
> against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided
> Samba build this way.
>
> Anything you would do, you'd be out of supported way -- either when you
> modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos.
> I don't want to spend time on digging up unsupported configuration
> details when the same time could be spent on improving FreeIPA 4.2 and
> bringing SSSD+Samba setup closer to where we want to have it. Maybe it
> sounds harsh but we have to decide what battles we think are more
> important and to me this one is more important even considering my spare
> time.
>
>> Thanks!
>>
>> Matt
>>
>> 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>>
>>> On Thu, 06 Aug 2015, Christopher Lamb wrote:
>>>>
>>>>
>>>> Hi Matt
>>>>
>>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA
>>>> integration paths.
>>>>
>>>> The route I took is suited where there is no Active Directory involved:
>>>> In
>>>> my case all the Windows, OSX and Linux clients are islands that sit on
>>>> the
>>>> same network.
>>>>
>>>> The route that Youenn has taken (unless I have got completely the wrong
>>>> end
>>>> of the stick) requires Active Directory in the architecture.
>>>
>>>
>>> Yes, you are at the wrong end of the stick. You don't need AD in the
>>> architecture here. You can reuse IPA design for AD integration via trust
>>> for normal Samba integration but use ipasam.so instead of ldapsam.so.
>>> This is what Youenn did. The only way we don't support it (yet) is
>>> because we think doing a longer term solution via SSSD and NTLMSSP
>>> support is better scalability vise -- your SSSD client is already having
>>> LDAP connection and is already holding identity mappings in the cache so
>>> there is no need to run separate LDAP connection in smbd/winbindd for
>>> that and cache the same data in a different way.
>>>
>>> --
>>> / Alexander Bokovoy
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>
> --
> / Alexander Bokovoy

More information about the Freeipa-users mailing list