[Freeipa-users] FreeIPA and Samba4
Troels Hansen
th at casalogic.dk
Thu Oct 29 18:43:46 UTC 2015
I should think so:
On IPA server.
ipa role-show 'CIFS server'
Role name: CIFS server
Privileges: CIFS server privilege
Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
ipa privilege-show 'CIFS server privilege'
Privilege name: CIFS server privilege
Permissions: CIFS test, CIFS server can read user passwords
Granting privilege to roles: CIFS server
ipa permission-show 'CIFS server can read user passwords'
Permission name: CIFS server can read user passwords
Granted rights: read, search, compare
Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
Bind rule type: permission
Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
Type: user
Granted to Privilege: CIFS server privilege
Indirect Member of roles: CIFS server
ipa-getkeytab -s kenai.casalogic.lan -p cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab
samba.keytab copied to samba server.
on samba server (tinkerbell):
kdestroy -A
kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
SASL/GSSAPI authentication started
SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=casalogic,dc=lan> (default) with scope subtree
# filter: uid=th
# requesting: ipaNTHash
#
# th, users, compat, casalogic.lan
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
# th, users, accounts, casalogic.lan
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <joshua.doll at gmail.com> wrote:
Are you using the correct principal for the ldapsearch? Did you grant it permissions to view those attributes?
--Joshua D Doll
On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote:
BQ_BEGIN
Hmm, weird.
I ran ipa-adtrust-install and it says it said it had user without SID's, and I told it to generete SID's.
However, I still can't see them on the user.
a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.
ldapsearch -Y GSSAPI uid=th ipaNTHash
.......
# th, users, compat, casalogic.lan
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
# th, users, accounts, casalogic.lan
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
.....
Samba however starts fine now, but unable to find any users:
pdbedit -Lv
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain casalogic.lan
----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
BQ_BEGIN
To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the ipa-adtrust-install --add-sids, even though I was not setting up a trust. It would be nice if there was a way to generate these values another way, maybe there is but I missed it.
--Joshua D Doll
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
BQ_END
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
BQ_END
--
Med venlig hilsen
Troels Hansen
Systemkonsulent
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151029/c381a2e9/attachment.htm>
More information about the Freeipa-users
mailing list