[Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?

Alexander Bokovoy abokovoy at redhat.com
Wed Feb 11 08:32:43 UTC 2015 

On Tue, 10 Feb 2015, Israel Miranda wrote:
>I have a freeipa installation of v4 on Fedora 21.
>I have a separate fileserver with freeipa packages installed from
>mkosek-freeipa-epel-7.repo on centos 7.
>
>I have:
>* created sambaSAMAccount,sambaGroupMapping UserObjects
>* created an entry for DNA	 plugin to populate them
>cn=SambaGroupSid,cn=Distributed Numeric Assignment
>Plugin,cn=plugins,cn=config
>* added a CoS template for sambaGroupType
>* added a CoS definition for sambaGroupType
>* used ipa-adtrust-install to create and populate ipaNTHash
>* checked with the creation of these attributes with an ldap browser all ok
>* put the fileserver machine on the domain
>* added necessary permission, previleges and roles
>* installed kerberos keytab on the fileserver
>* was able to retrieve ipaNTHash attribute with the keytab from samba server
>
>and now the only thing missing is to integrate the fileserver with the
>ipaserver.
>I don´t mind in using ipasam, but to install in on my centos7
>fileserver, which only has samba installed and nothing else, it also
>pulls the whole freeipa-server package, and this is overkill just to
>get ipasam.so. So I'd like some help in compiling it separately.
>I am using standard samba server distributed with centos 7.
>
>So I tried to use  passdb backend = ldapsam:ldap//ipaserver
>but samba tries to bind using admin user, and doesn't use keytab, even
>though I put
>        dedicated keytab file = FILE:/etc/samba/samba.keytab
>        kerberos method = dedicated keytab
>in smb.conf.
ldapsam currently does not yet support keytab use. With CentOS7/mkosek
COPR repo you don't need to use any special passdb module anymore, just
follow
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


>
>So please help me in getting these two things done:
>
>1. use samba with freeipa through ldap( I know it is worse than
>ipasam, but would be nice to know how to integrate freeipa with samba
>with ldap on systems where ipasam might not be available )
Don't do that, use sssd-libwbclient integration. It requires pretty
fresh sssd version (1.12.2+) but systems you mentioned (F21 and CentOS7
with mkosek COPR repo) have it.

>2. compile an ipasam.so module so we can work on creating an rpm
>package in the future, since it is necessary to install ipasam.so
>separately.
No need to that when using sssd-libwbclient integration.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list