[Freeipa-users] Samba in IPA / AD trust, best practise
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 23 07:52:38 UTC 2016
On ke, 23 marras 2016, Troels Hansen wrote:
>Hi there
>
>I'm having a bit of a dilemma. I'm going to set up a Samba in a IPA 4.4 / AD trust, and was wondering what the official or best practise method of joining the Samba server is:
>
>I see two methods:
>- The one from http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA using wbclient.
>- A second one where I use ipasam
>
>I was wondering which is actually the officially best practise as it
>seems documentation states wbclient, but samba configured on IPA server
>uses ipasam?
You are trying to conflate two different configurations into a single
one, this is not going to work, no wonder.
IPA master uses ipasam. Along other features, ipasam stores information
about trusted domains (ldapsam doesn't do that).
IPA client running Samba server currently can only be configured with
the way described in the wiki, with SSSD-provided libwbclient
replacement. It has own limitations, namely lack of NTLMSSP
(password-based) support.
If you need to have Samba file server setup for the trust case, you
either give up password-based access completely and go with the
wiki-described way where only Kerberos-based access would work, or you'd
dedicate one IPA master to be a file server, run ipa-adtrust-install on
it and get a machine with ipasam configuration that will be able to
check passwords with NTLMSSP. The downside is that it is a fully-blown
IPA master, running 389-ds and MIT Kerberos on it.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list