[Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?

Dmitri Pal dpal at redhat.com
Wed Feb 11 06:47:55 UTC 2015 

On 02/10/2015 08:39 PM, Israel Miranda wrote:
> I have a freeipa installation of v4 on Fedora 21.
> I have a separate fileserver with freeipa packages installed from
> mkosek-freeipa-epel-7.repo on centos 7.
>
> I have:
> * created sambaSAMAccount,sambaGroupMapping UserObjects
> * created an entry for DNA	 plugin to populate them
> cn=SambaGroupSid,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> * added a CoS template for sambaGroupType
> * added a CoS definition for sambaGroupType
> * used ipa-adtrust-install to create and populate ipaNTHash
> * checked with the creation of these attributes with an ldap browser all ok
> * put the fileserver machine on the domain
> * added necessary permission, previleges and roles
> * installed kerberos keytab on the fileserver
> * was able to retrieve ipaNTHash attribute with the keytab from samba server
>
> and now the only thing missing is to integrate the fileserver with the
> ipaserver.
> I don´t mind in using ipasam, but to install in on my centos7
> fileserver, which only has samba installed and nothing else, it also
> pulls the whole freeipa-server package, and this is overkill just to
> get ipasam.so. So I'd like some help in compiling it separately.
> I am using standard samba server distributed with centos 7.
>
> So I tried to use  passdb backend = ldapsam:ldap//ipaserver
> but samba tries to bind using admin user, and doesn't use keytab, even
> though I put
>          dedicated keytab file = FILE:/etc/samba/samba.keytab
>          kerberos method = dedicated keytab
> in smb.conf.
>
> So please help me in getting these two things done:
>
> 1. use samba with freeipa through ldap( I know it is worse than
> ipasam, but would be nice to know how to integrate freeipa with samba
> with ldap on systems where ipasam might not be available )
>
> 2. compile an ipasam.so module so we can work on creating an rpm
> package in the future, since it is necessary to install ipasam.so
> separately.
>
> Kudos for the development team for this amazing software.
>
> Thanks in advance
>
>
> Free software philosophy :
>
> Information is for free.
> People are not.
> Contributors are priceless.
>
>
> Filosofia de software livre:
>
> Informação é de graça.
> Pessoas não são.
> Contribuidores não tem preço.
>
>
> Israel Vinícius Miranda
>
Have you considered this: 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA ?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list