[Freeipa-users] freeipa-samba integration and windows clients
Alexander Bokovoy
abokovoy at redhat.com
Thu May 7 05:28:05 UTC 2015
On Wed, 06 May 2015, box 31978 wrote:
>Hello everyone,
>
>These days I'm testing integration between FreeIPA4 and Samba4 at file
>sharing level. Everything seems to work fine except share access from a
>standalone Windows client.
>
>This is the setup (everything is up-to-date):
>- ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin
>- file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home dirs,
>not a DC)
>- win-client: Windows 7 Home Premium
>
>Config is done following the FreeIPA's Samba integration guide, and testing
>with samba-client from ipa-server (or any other ipa-joined machine) to
>file-server using kerberos after calling kinit is successful (file
>manipulation included).
>
>Attempts to connect to the same share from win-client ends up with a log in
>error. Analyzing logs: Samba can't find the user because it can't find any
>DC, and that's because Samba can't resolve workgroup name (note that's not
>a question of SSO: win-client asks to type username and password). It seems
>that maybe Samba is not handling new kerberos ticket requests.
If Windows client is not a part of the domain, there is no SSO and no
Kerberos. Windows client will attempt using NTLMSSP authentication.
>By now, my questions are:
>- Can this setup work or it is absolutely necessary that any Windows client
>expecting to access Samba shares have to be already joined to a trusted
>domain?
Right now -- yes. You are saying you've following "FreeIPA's Samba
integration guide" which I assume is
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA,
which only works for Kerberos authentication because NTLMSSP is not
supported by the SSSD.
>- If this setup can't be done, I'll go for an LDAP config in file-server
>against ipa-server, but then, can I maintain the file-server joined with
>ipa-client? Will it work?
Not really. The story is more complex than it seems and right now there
is no ready-made solution for out-of-domain Windows clients.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list