[Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 12 06:46:47 UTC 2015 

On Wed, 11 Feb 2015, Israel Miranda wrote:
>I did follow http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>but first I was always getting NT_STATUS_UNSUCCESSFUL
>First I thought it was related to a bad parameter in my samba
>configuration, because
>http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>says it is about ipa v4 and I found this ticket
>https://fedorahosted.org/freeipa/ticket/3999 I thought the
>documentation was incomplete.
Documentation regarding Samba integration is incomplete. We are working
on improving it but nothing is ready for review yet.

>I debugged kerberos log file and I realized I was using just username
>instead of username at REALM.COM in windows 8 machine. It showed REALM as
>a groupname and I thought samba would do the translation but even on
>windows share logon you have to use username at REALM.COM otherwise it
>doesn´t work.
Yes. When you are using cross-forest trust to AD this will happen
automatically. If you are not using cross-forest trust to AD, this use
case is not yet officially supported so I glad that it works for you.

>Also what about all those ldap objects I created earlier ?
>Are they worth or need for a kerberized CIFS server ?
>Because they are not mentioned in
>http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
You don't need to create any additional LDAP objects.

What you need is basically following:

1. Run ipa-adtrust-install on all masters that will be serving AD users.
Right now this means effectively all masters but we are working on
separating the heavy parts (runnning smbd/winbindd on each master) soon.

2. Use http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
to configure your Fedora 21+ or RHEL7.1beta or later servers to host
Samba.


>It is working flawlessly now. Thanks a lot for the tip, now my
>smb.conf is just like in the example of the howto and it is working
>through sssd-libwbclient accessing the keytab.
>
>I have detailed the steps and commands to create the ldap objects,
>there is a typo many places on the internet because it was reproduced
>from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
Notice that it is against Fedora 17 which is way old now and obsolete.

>I also think should be documented somewhere that ipa-adtrust-install
>creates/populates the ipaNTHash, I couldn't find it anywhere, someone
>told me this on freenode.
Given that you don't need to know about ipaNTHash to use
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA,
all you need is documented there. I've added a note that IPA masters
have to be configured with ipa-adtrust-install.


>And one more doubt.
>ipa config-mod --userobjectclasses=aaa,bbb,ccc
>or ipa config-mod --groupobjectclasses=aaa,bbb,ccc
>doesn't work on iPA 4.
>Is there a way of doing this on the command line on ipa 4 ?
Use shell expansion.

ipa object-command --attribute={value1,value2,value3,...}


-- 
/ Alexander Bokovoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150212/5ae6a04e/attachment.sig>

More information about the Freeipa-users mailing list