[Freeipa-users] freeipa-samba integration and windows clients

Wed May 6 21:11:11 UTC 2015

Hello everyone,

These days I'm testing integration between FreeIPA4 and Samba4 at file
sharing level. Everything seems to work fine except share access from a
standalone Windows client.

This is the setup (everything is up-to-date):
- ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin
- file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home dirs,
not a DC)
- win-client: Windows 7 Home Premium

Config is done following the FreeIPA's Samba integration guide, and testing
with samba-client from ipa-server (or any other ipa-joined machine) to
file-server using kerberos after calling kinit is successful (file
manipulation included).

Attempts to connect to the same share from win-client ends up with a log in
error. Analyzing logs: Samba can't find the user because it can't find any
DC, and that's because Samba can't resolve workgroup name (note that's not
a question of SSO: win-client asks to type username and password). It seems
that maybe Samba is not handling new kerberos ticket requests.

By now, my questions are:
- Can this setup work or it is absolutely necessary that any Windows client
expecting to access Samba shares have to be already joined to a trusted
domain?
- If this setup can't be done, I'll go for an LDAP config in file-server
against ipa-server, but then, can I maintain the file-server joined with
ipa-client? Will it work?

Feel free to ask whatever you want, any suggestions will be welcome. Thanks!

Regards,

A.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150506/378b78a1/attachment.htm>