[Freeipa-users] freeipa-samba integration and windows clients
Alexander Bokovoy
abokovoy at redhat.com
Thu May 7 07:48:06 UTC 2015
On Thu, 07 May 2015, box 31978 wrote:
>Hello Alexander,
>
>Thank you very much for your answers!
>
>> If Windows client is not a part of the domain, there is no SSO and no
>> Kerberos. Windows client will attempt using NTLMSSP authentication.
>> ...
>> Right now -- yes. You are saying you've following "FreeIPA's Samba
>> integration guide" which I assume is
>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>,
>> which only works for Kerberos authentication because NTLMSSP is not
>> supported by the SSSD.
>
>Yes, your assumption is absolutely exact ;-)
>
>That's clear now, my thoughts went on this direction too: anyone is
>handling a new kerberos ticket request because of authentication type.
>
>> Not really. The story is more complex than it seems and right now there
>> is no ready-made solution for out-of-domain Windows clients.
>
>Ok, I understand.
>
>Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this
>works fine on Samba3 and 389-DS), but I'm not sure about the configuration.
>Can file-server's SSSD have Kerberos auth (result of ipa-client-install)
>and LDAP auth (added settings in sssd.conf) at the same time for the same
>domain? Will it work together or will I've to choose on of the two?
SSSD can but you need Samba to be aware of these things because Samba
needs way more than just passwords. FreeIPA uses different LDAP schema
for the additional attributes compared to what standard Samba PASSDB
module for LDAP expects so if you enable that one in smb.conf, you'll
get nothing.
As Christoph pointed in the another email, you may try to enable older
Samba-compatible scheme but that wouldn't play well with IPA's support
for SIDs (including on SSSD side) as we are using different attributes
and you'll be forced to maintain certain aspects manually.
There is hope to get NTLMSSP support implemented but not soon, we have
bits in place but there is still work to be done.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list