[Freeipa-users] FreeIPA and Samba4

Troels Hansen th at casalogic.dk
Thu Oct 29 18:43:46 UTC 2015 

I should think so: 

On IPA server. 

ipa role-show 'CIFS server' 
Role name: CIFS server 
Privileges: CIFS server privilege 
Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN 

ipa privilege-show 'CIFS server privilege' 
Privilege name: CIFS server privilege 
Permissions: CIFS test, CIFS server can read user passwords 
Granting privilege to roles: CIFS server 

ipa permission-show 'CIFS server can read user passwords' 
Permission name: CIFS server can read user passwords 
Granted rights: read, search, compare 
Effective attributes: ipaNTHash, ipaNTSecurityIdentifier 
Bind rule type: permission 
Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan 
Type: user 
Granted to Privilege: CIFS server privilege 
Indirect Member of roles: CIFS server 

ipa-getkeytab -s kenai.casalogic.lan -p cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab 

samba.keytab copied to samba server. 

on samba server (tinkerbell): 
kdestroy -A 
kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan 
ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash 

SASL/GSSAPI authentication started 
SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN 
SASL SSF: 56 
SASL data security layer installed. 
# extended LDIF 
# 
# LDAPv3 
# base <dc=casalogic,dc=lan> (default) with scope subtree 
# filter: uid=th 
# requesting: ipaNTHash 
# 

# th, users, compat, casalogic.lan 
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan 

# th, users, accounts, casalogic.lan 
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan 

# search result 
search: 4 
result: 0 Success 

# numResponses: 3 
# numEntries: 2 



----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <joshua.doll at gmail.com> wrote: 



Are you using the correct principal for the ldapsearch? Did you grant it permissions to view those attributes? 
--Joshua D Doll 
On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote: 

BQ_BEGIN

Hmm, weird. 
I ran ipa-adtrust-install and it says it said it had user without SID's, and I told it to generete SID's. 
However, I still can't see them on the user. 
a IPA-db doesn't reveal them being generated and I can't look them up via LDAP. 

ldapsearch -Y GSSAPI uid=th ipaNTHash 
....... 
# th, users, compat, casalogic.lan 
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan 

# th, users, accounts, casalogic.lan 
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan 

..... 

Samba however starts fine now, but unable to find any users: 
pdbedit -Lv 
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain casalogic.lan 



----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote: 

BQ_BEGIN



To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the ipa-adtrust-install --add-sids, even though I was not setting up a trust. It would be nice if there was a way to generate these values another way, maybe there is but I missed it. 

--Joshua D Doll 

-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 





-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 
BQ_END


-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 

BQ_END


-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151029/c381a2e9/attachment.htm>

More information about the Freeipa-users mailing list