[Freeipa-users] FreeIPA and Samba4
Troels Hansen
th at casalogic.dk
Fri Oct 30 09:53:47 UTC 2015
Well, I think the problem here being that I miss the attributes.
One "funny" thing being that apprently, some users have had ipantuserattrs objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including mine).
Tried adding a new user, just to test, and this gets created with a ipaNTSecurityIdentifier, however, my old users still don't.
I guess I jute need a way to have IPA add ipantuserattrs and ipaNTSecurityIdentifier to my existing users.
when running ipa-adtrust-install it finds 85 users without SID, and I install the SID plugin (which is just 2 LDIF's), but this still doesn't do anything.
----- On Oct 29, 2015, at 8:16 PM, Joshua Doll <joshua.doll at gmail.com> wrote:
> Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
> --add-sids. I did notice when I was setting this up recently that I had to run
> the adtrust-install command whenever I added new users or groups. I don't know
> if it was just me being impatient or a limitation. Another thing I noticed that
> is different between our two setups is I couldn't get this setup to work on a
> separate host, I am running samba on the same host as my ipa service.
> --Joshua D Doll
> On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < th at casalogic.dk > wrote:
>> Same result...
>> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
>> ipaNTHash
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>> # filter: uid=th
>> # requesting: ipaNTHash
>> #
>> # th, users, compat, casalogic.lan
>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>> # th, users, accounts, casalogic.lan
>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>> # search result
>> search: 2
>> result: 0 Success
>> # numResponses: 3
>> # numEntries: 2
>> ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>>> What about as directory manager?
>>> --Joshua D Doll
>>> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < th at casalogic.dk > wrote:
>>>> I should think so:
>>>> On IPA server.
>>>> ipa role-show 'CIFS server'
>>>> Role name: CIFS server
>>>> Privileges: CIFS server privilege
>>>> Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>>>> ipa privilege-show 'CIFS server privilege'
>>>> Privilege name: CIFS server privilege
>>>> Permissions: CIFS test, CIFS server can read user passwords
>>>> Granting privilege to roles: CIFS server
>>>> ipa permission-show 'CIFS server can read user passwords'
>>>> Permission name: CIFS server can read user passwords
>>>> Granted rights: read, search, compare
>>>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>>>> Bind rule type: permission
>>>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>>>> Type: user
>>>> Granted to Privilege: CIFS server privilege
>>>> Indirect Member of roles: CIFS server
>>>> ipa-getkeytab -s kenai.casalogic.lan -p
>>>> cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab
>>>> samba.keytab copied to samba server.
>>>> on samba server (tinkerbell):
>>>> kdestroy -A
>>>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
>>>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
>>>> SASL/GSSAPI authentication started
>>>> SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>>>> SASL SSF: 56
>>>> SASL data security layer installed.
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>>>> # filter: uid=th
>>>> # requesting: ipaNTHash
>>>> #
>>>> # th, users, compat, casalogic.lan
>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>>>> # th, users, accounts, casalogic.lan
>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>>>> # search result
>>>> search: 4
>>>> result: 0 Success
>>>> # numResponses: 3
>>>> # numEntries: 2
>>>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>>>>> Are you using the correct principal for the ldapsearch? Did you grant it
>>>>> permissions to view those attributes?
>>>>> --Joshua D Doll
>>>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote:
>>>>>> Hmm, weird.
>>>>>> I ran ipa-adtrust-install and it says it said it had user without SID's, and I
>>>>>> told it to generete SID's.
>>>>>> However, I still can't see them on the user.
>>>>>> a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.
>>>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash
>>>>>> .......
>>>>>> # th, users, compat, casalogic.lan
>>>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>>>>>> # th, users, accounts, casalogic.lan
>>>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>>>>>> .....
>>>>>> Samba however starts fine now, but unable to find any users:
>>>>>> pdbedit -Lv
>>>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>>>>>> casalogic.lan
>>>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>>>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
>>>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
>>>>>>> would be nice if there was a way to generate these values another way, maybe
>>>>>>> there is but I missed it.
>>>>>>> --Joshua D Doll
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>> --
>>>> Med venlig hilsen
>>>> Troels Hansen
>>>> Systemkonsulent
>>>> Casalogic A/S
>>>> T (+45) 70 20 10 63
>>>> M (+45) 22 43 71 57
>>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>>>> meget mere.
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> --
>> Med venlig hilsen
>> Troels Hansen
>> Systemkonsulent
>> Casalogic A/S
>> T (+45) 70 20 10 63
>> M (+45) 22 43 71 57
>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>> meget mere.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Med venlig hilsen
Troels Hansen
Systemkonsulent
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151030/90396b18/attachment.htm>
More information about the Freeipa-users
mailing list