[Freeipa-users] FreeIPA and Samba4

Troels Hansen th at casalogic.dk
Fri Oct 30 09:53:47 UTC 2015 

Well, I think the problem here being that I miss the attributes. 
One "funny" thing being that apprently, some users have had ipantuserattrs objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including mine). 
Tried adding a new user, just to test, and this gets created with a ipaNTSecurityIdentifier, however, my old users still don't. 
I guess I jute need a way to have IPA add ipantuserattrs and ipaNTSecurityIdentifier to my existing users. 

when running ipa-adtrust-install it finds 85 users without SID, and I install the SID plugin (which is just 2 LDIF's), but this still doesn't do anything. 

----- On Oct 29, 2015, at 8:16 PM, Joshua Doll <joshua.doll at gmail.com> wrote: 

> Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
> --add-sids. I did notice when I was setting this up recently that I had to run
> the adtrust-install command whenever I added new users or groups. I don't know
> if it was just me being impatient or a limitation. Another thing I noticed that
> is different between our two setups is I couldn't get this setup to work on a
> separate host, I am running samba on the same host as my ipa service.

> --Joshua D Doll

> On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < th at casalogic.dk > wrote:

>> Same result...

>> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
>> ipaNTHash
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>> # filter: uid=th
>> # requesting: ipaNTHash
>> #

>> # th, users, compat, casalogic.lan
>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

>> # th, users, accounts, casalogic.lan
>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

>> # search result
>> search: 2

>> result: 0 Success

>> # numResponses: 3
>> # numEntries: 2

>> ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll < joshua.doll at gmail.com > wrote:

>>> What about as directory manager?

>>> --Joshua D Doll

>>> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < th at casalogic.dk > wrote:

>>>> I should think so:

>>>> On IPA server.

>>>> ipa role-show 'CIFS server'
>>>> Role name: CIFS server
>>>> Privileges: CIFS server privilege
>>>> Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN

>>>> ipa privilege-show 'CIFS server privilege'
>>>> Privilege name: CIFS server privilege
>>>> Permissions: CIFS test, CIFS server can read user passwords
>>>> Granting privilege to roles: CIFS server

>>>> ipa permission-show 'CIFS server can read user passwords'
>>>> Permission name: CIFS server can read user passwords
>>>> Granted rights: read, search, compare
>>>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>>>> Bind rule type: permission
>>>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>>>> Type: user
>>>> Granted to Privilege: CIFS server privilege
>>>> Indirect Member of roles: CIFS server

>>>> ipa-getkeytab -s kenai.casalogic.lan -p
>>>> cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab

>>>> samba.keytab copied to samba server.

>>>> on samba server (tinkerbell):
>>>> kdestroy -A
>>>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
>>>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash

>>>> SASL/GSSAPI authentication started
>>>> SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>>>> SASL SSF: 56
>>>> SASL data security layer installed.
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>>>> # filter: uid=th
>>>> # requesting: ipaNTHash
>>>> #

>>>> # th, users, compat, casalogic.lan
>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

>>>> # th, users, accounts, casalogic.lan
>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

>>>> # search result
>>>> search: 4
>>>> result: 0 Success

>>>> # numResponses: 3
>>>> # numEntries: 2

>>>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.doll at gmail.com > wrote:

>>>>> Are you using the correct principal for the ldapsearch? Did you grant it
>>>>> permissions to view those attributes?
>>>>> --Joshua D Doll
>>>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote:

>>>>>> Hmm, weird.
>>>>>> I ran ipa-adtrust-install and it says it said it had user without SID's, and I
>>>>>> told it to generete SID's.
>>>>>> However, I still can't see them on the user.
>>>>>> a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.

>>>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash
>>>>>> .......
>>>>>> # th, users, compat, casalogic.lan
>>>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

>>>>>> # th, users, accounts, casalogic.lan
>>>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

>>>>>> .....

>>>>>> Samba however starts fine now, but unable to find any users:
>>>>>> pdbedit -Lv
>>>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>>>>>> casalogic.lan

>>>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote:

>>>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
>>>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
>>>>>>> would be nice if there was a way to generate these values another way, maybe
>>>>>>> there is but I missed it.

>>>>>>> --Joshua D Doll

>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project

>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project

>>>> --

>>>> Med venlig hilsen

>>>> Troels Hansen

>>>> Systemkonsulent

>>>> Casalogic A/S

>>>> T (+45) 70 20 10 63

>>>> M (+45) 22 43 71 57

>>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>>>> meget mere.

>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project

>> --

>> Med venlig hilsen

>> Troels Hansen

>> Systemkonsulent

>> Casalogic A/S

>> T (+45) 70 20 10 63

>> M (+45) 22 43 71 57

>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>> meget mere.

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 

Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151030/90396b18/attachment.htm>

More information about the Freeipa-users mailing list