[Freeipa-users] FreeIPA and Samba4

Troels Hansen th at casalogic.dk
Tue Oct 27 13:53:53 UTC 2015 

This might be related to the old thread https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html but on the other side not quite, and can't see that it have been been solved. 

I have been spending quite some time on this, but haven't been able to solve it yet. 

My problem is: 

I have a complete new infrastructure based om RedHat7 and CentOS7 servers. 
No Windows and defenently no AD, however we use Samba for sharing files to some clients. 

Clients is mostly Ubuntu based laptops, completely individually manages. No central user admin or anything. 
Users manage their own PC 100%. 

We have two IPA servers set up, and all Linux servers authenticate against IPA and all that works flawless. 

We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4, using the ipa migrate script and this also worked fine. 

Now comes the tricky part that I haven't been able to solve. 

I can't seem to set Samba to play with IPA. 

I have been trying to use plain old ldapsam backend, but never managed to get it to work. 
Seems Samba can't authenticate users. 

Tried ipasam backend, using kerberos, following the instructions from the old thread: https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html 
Samba fails to start up, with a: 
2015/10/27 14:13:42.127557, 0] ipa_sam.c:4478(pdb_init_ipasam) 
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. 
[2015/10/27 14:13:42.127785, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) 
pdb backend ipasam:"ldaps://kenai.casalogic.lan ldaps://koda.casalogic.lan" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) 

If I look at tje users directly in LDAP, I can see they don't have a ipaNTHash or ipaNTSecurityIdentifier attribute, however have preserved their old LDAP-ish sambaLMPassword and sambaNTPassword 

I might be completely off, but I need Samba to authenticate users against IPA, using password, and not krb as I have no control over the clients. 

FreeIPA is currently 4.1 

-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151027/cca50bb6/attachment.htm>

More information about the Freeipa-users mailing list