[Freeipa-users] FreeIPA and Samba4
Joshua Doll
joshua.doll at gmail.com
Thu Oct 29 18:45:32 UTC 2015
What about as directory manager?
--Joshua D Doll
On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen <th at casalogic.dk> wrote:
> I should think so:
>
> On IPA server.
>
> ipa role-show 'CIFS server'
> Role name: CIFS server
> Privileges: CIFS server privilege
> Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>
> ipa privilege-show 'CIFS server privilege'
> Privilege name: CIFS server privilege
> Permissions: CIFS test, CIFS server can read user passwords
> Granting privilege to roles: CIFS server
>
> ipa permission-show 'CIFS server can read user passwords'
> Permission name: CIFS server can read user passwords
> Granted rights: read, search, compare
> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
> Bind rule type: permission
> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
> Type: user
> Granted to Privilege: CIFS server privilege
> Indirect Member of roles: CIFS server
>
> ipa-getkeytab -s kenai.casalogic.lan -p
> cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab
>
> samba.keytab copied to samba server.
>
> on samba server (tinkerbell):
> kdestroy -A
> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
>
> SASL/GSSAPI authentication started
> SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=casalogic,dc=lan> (default) with scope subtree
> # filter: uid=th
> # requesting: ipaNTHash
> #
>
>
> # th, users, compat, casalogic.lan
> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>
> # th, users, accounts, casalogic.lan
> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>
>
> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <joshua.doll at gmail.com>
> wrote:
>
> Are you using the correct principal for the ldapsearch? Did you grant it
> permissions to view those attributes?
> --Joshua D Doll
> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen <th at casalogic.dk> wrote:
>
>> Hmm, weird.
>> I ran ipa-adtrust-install and it says it said it had user without SID's,
>> and I told it to generete SID's.
>> However, I still can't see them on the user.
>> a IPA-db doesn't reveal them being generated and I can't look them up via
>> LDAP.
>>
>> ldapsearch -Y GSSAPI uid=th ipaNTHash
>> .......
>> # th, users, compat, casalogic.lan
>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>>
>> # th, users, accounts, casalogic.lan
>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>>
>> .....
>>
>> Samba however starts fine now, but unable to find any users:
>> pdbedit -Lv
>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>> casalogic.lan
>>
>>
>>
>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll <joshua.doll at gmail.com>
>> wrote:
>>
>>
>>
>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run
>> the ipa-adtrust-install --add-sids, even though I was not setting up a
>> trust. It would be nice if there was a way to generate these values another
>> way, maybe there is but I missed it.
>>
>> --Joshua D Doll
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
> --
>
> Med venlig hilsen
>
> *Troels Hansen*
>
> Systemkonsulent
>
> Casalogic A/S
>
> T (+45) 70 20 10 63
>
> M (+45) 22 43 71 57
> <http://www.casalogic.dk/signatur/th.vcf>
> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic>
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos
> og meget mere.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151029/40405b76/attachment.htm>
More information about the Freeipa-users
mailing list