[Freeipa-users] freeipa-samba integration and windows clients

Christopher Lamb christopher.lamb at ch.ibm.com
Thu May 7 05:39:24 UTC 2015 

Hi

Yes, it's possible to operate freeIPA and Samba as you suggest, we have
been doing so for some years now (with several freeIPA and Samba versions).

Our end users use a mix of Windows and OSX laptops / workstations. These
are not members of any kind of domain. They access our file servers via
Samba shares authenticated by freeIPA.

The samba server is a freeIPA client.

The samba config on the freeIPA side looks like it was done along the lines
in the link
http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

The ldap config in our samba smb.conf looks like this:

	security = user
	passdb backend = ldapsam:ldap://ldap.my.example.com

	ldap suffix = dc=my,dc=example,dc=com

	ldap admin dn = cn=Directory Manager
        	ldap ssl = off

Cheers

Chris



From:	box 31978 <box31978 at gmail.com>
To:	freeipa-users at redhat.com
Date:	06.05.2015 23:18
Subject:	[Freeipa-users] freeipa-samba integration and windows clients
Sent by:	freeipa-users-bounces at redhat.com



Hello everyone,

These days I'm testing integration between FreeIPA4 and Samba4 at file
sharing level. Everything seems to work fine except share access from a
standalone Windows client.

This is the setup (everything is up-to-date):
- ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin
- file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home dirs,
not a DC)
- win-client: Windows 7 Home Premium

Config is done following the FreeIPA's Samba integration guide, and testing
with samba-client from ipa-server (or any other ipa-joined machine) to
file-server using kerberos after calling kinit is successful (file
manipulation included).

Attempts to connect to the same share from win-client ends up with a log in
error. Analyzing logs: Samba can't find the user because it can't find any
DC, and that's because Samba can't resolve workgroup name (note that's not
a question of SSO: win-client asks to type username and password). It seems
that maybe Samba is not handling new kerberos ticket requests.

By now, my questions are:
- Can this setup work or it is absolutely necessary that any Windows client
expecting to access Samba shares have to be already joined to a trusted
domain?
- If this setup can't be done, I'll go for an LDAP config in file-server
against ipa-server, but then, can I maintain the file-server joined with
ipa-client? Will it work?

Feel free to ask whatever you want, any suggestions will be welcome.
Thanks!

Regards,

A.--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list