[Freeipa-users] a bit off topic- samba + sssd => AD

[lejeczek]

On 06/06/16 12:42, Alexander Bokovoy wrote:
> On Mon, 06 Jun 2016, lejeczek wrote:
>>> SMB services with Kerberos require use of 
>>> cifs/<hostname> service
>>> principal. Your keytab only has host/<hostname> keys, 
>>> and your AD
>>> machine account for the <hostname> does not have 
>>> 'cifs/<hostname>' SPN
>>> defined. The latter is what causes smbclient -k to fail 
>>> -- AD DC
>>> doesn't know about 'cifs/<hostname>' and refuses to 
>>> issue a service
>>> ticket even before smbclient contacts Samba server.
>> Alexander, thanks!
>> yes, cifs needs to be in keytab file, smbclient to 
>> itself(on smb server locally) works now with -k.
>> I wonder - should it also work with only passwords? It 
>> does not, for me.
>> Users mapping concept (which I do not grasp completely 
>> yet) - when an AD client (win10) now gets to samba shares 
>> okey it is done with AD user credentials, win client sees 
>> share like: user at my.dom which user is not IPA's user 
>> (there are no trusts no syncing).
> I don't know details of what you have configured. For IPA 
> with trusts
> both Kerberos and passwords should work when Samba is 
> running on IPA
> master. For IPA client, we have procedure defined for 
> SSSD+Samba. For
> anything else only Kerberos would work.
I emailed (this thread) most of the configs, if not all, 
~two emails ago, last Friday.
>
>> Now, when you say mapping - this would be winbind/smb 
>> translating/mapping AD's SIDs to match IPA's UIDs - which 
>> is/would be different from syncying users from AD => IPA 
>> ,correct?
> SIDs to UID/GID on the system. You seem to confuse a lot 
> in your emails
> -- you are claiming that there is no IPA trust or sync in 
> place yet you
> expect somehow things to magically work, I simply don't 
> understand your
> situation to comment on it.
not magically, no, it's the same one box, IPA server and at 
the same time samba(non-IPA, might be why smbclient without 
kerberos does Not work) + sssd to an AD.
And now after fixing keytabs all seems to work ok, and no 
winbind yet - thus my only question now is more about 
concepts, which - yes - I don't grasp fully.
Yes I confuse, the way I understand is: my linux box now has 
two separate user db backends, two different users catalogs, 
first one is IPA's and the second is AD's via sssd(which 
samba being an AD's client also uses) with no winbind at 
this point.
Last thing I wonder is that SIDs/UIDs mapping - one: do I 
want/need it? and if one then two: how to achieve it running 
setup like mine?

>
>> Another thing, not having winbind in nsswitch (or not 
>> having it at all), but still having sssd using AD - 
>> should I be able to access
>> linux+sssd=>AD box with means like ssh? eg. ssh
>> me at my.dom@swir.private.my.dom (I think I had it worked 
>> with windbind in
>> nsswitch)
> SSSD client as IPA client will work with passwords in AD 
> but only if
> trust is established between IPA and AD.
>