[Freeipa-users] freeipa-samba integration and windows clients
Dmitri Pal
dpal at redhat.com
Thu May 7 00:22:06 UTC 2015
On 05/06/2015 05:11 PM, box 31978 wrote:
> Hello everyone,
>
> These days I'm testing integration between FreeIPA4 and Samba4 at file
> sharing level. Everything seems to work fine except share access from
> a standalone Windows client.
>
> This is the setup (everything is up-to-date):
> - ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin
> - file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home
> dirs, not a DC)
> - win-client: Windows 7 Home Premium
>
> Config is done following the FreeIPA's Samba integration guide, and
> testing with samba-client from ipa-server (or any other ipa-joined
> machine) to file-server using kerberos after calling kinit is
> successful (file manipulation included).
>
> Attempts to connect to the same share from win-client ends up with a
> log in error. Analyzing logs: Samba can't find the user because it
> can't find any DC, and that's because Samba can't resolve workgroup
> name (note that's not a question of SSO: win-client asks to type
> username and password). It seems that maybe Samba is not handling new
> kerberos ticket requests.
>
> By now, my questions are:
> - Can this setup work or it is absolutely necessary that any Windows
> client expecting to access Samba shares have to be already joined to a
> trusted domain?
Samba can have different ID sources. May be there is a way to somehow
specify users that are not members of the domain locally on the Samba
server. At least this is what I would research if I faced that issue.
> - If this setup can't be done, I'll go for an LDAP config in
> file-server against ipa-server, but then, can I maintain the
> file-server joined with ipa-client? Will it work?
Yes. With SSSD 1.12 on the file server it should work.
https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
>
> Feel free to ask whatever you want, any suggestions will be welcome.
> Thanks!
>
> Regards,
>
> A.
>
>
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150506/7d84f62e/attachment.htm>
More information about the Freeipa-users
mailing list