[Freeipa-users] FreeIPA and Samba

Alan Latteri alan at instinctualsoftware.com
Wed Oct 12 00:43:21 UTC 2016 

I am trying to get this to work, but our Samba server is not the same machine as out IPA server, and these instructions seem to assume that.  Any ideas?  All I need is the 1 windows machine in our network to be able to access our linux based server, using the same user/pass as that of our IPA authenticated linux machines.


> On Oct 10, 2016, at 1:35 PM, Степаненко Алексей <a.stepanenko at gw.spb.ru> wrote:
> 
> I read again the topic http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP <http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP>
> It works exactly as I wanted
> 
>  ipa-adtrust-install created next configuration:
> $ net conf list
> [global]
>         workgroup = WORKGROUP
>         netbios name = SMB
>         realm = GW.SPB.RU
>         kerberos method = dedicated keytab
>         dedicated keytab file = FILE:/etc/samba/samba.keytab <file:///etc/samba/samba.keytab>
>         create krb5 conf = no
>         security = user
>         domain master = yes
>         domain logons = yes
>         log level = 1
>         max log size = 100000
>         log file = /var/log/samba/log.%m
>         passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
>         disable spoolss = yes
>         ldapsam:trusted = yes
>         ldap ssl = off
>         ldap suffix = dc=gw,dc=spb,dc=ru
>         ldap user suffix = cn=users,cn=accounts
>         ldap group suffix = cn=groups,cn=accounts
>         ldap machine suffix = cn=computers,cn=accounts
>         rpc_server:epmapper = external
>         rpc_server:lsarpc = external
>         rpc_server:lsass = external
>         rpc_server:lsasd = external
>         rpc_server:samr = external
>         rpc_server:netlogon = external
>         rpc_server:tcpip = yes
>         rpc_daemon:epmd = fork
>         rpc_daemon:lsasd = fork
> 
> But I don't understand why it wasn't put to smb.conf directly.
> 
> The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved. 
> 
> 06.10.2016 23:51, Степаненко Алексей пишет:
>> Thank you for your reply. 
>> 
>> I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops. 
>> 
>> I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba. 
>> 
>> I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things. 
>> 
>> 
>> 06.10.2016 20:31, Loris Santamaria пишет: 
>>> The document you are linking to explains how to configure a samba file 
>>> server in a freeipa domain, which is one of many ways you can configure 
>>> and use a samba server. 
>>> 
>>> What do you want to achieve with samba, and what is your current setup? 
>>> 
>>> 
>>> El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió: 
>>>> Hello. 
>>>> 
>>>> I've read the topic about FreeIPA and SAMBA 
>>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit <http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit> 
>>>> h_IPA 
>>>> 
>>>> If I understand clearly, samba's client must be present in 
>>>> FreeIPA  AD. 
>>>> Unfortunately, it does not work for me. I can't join some work 
>>>> desktops 
>>>> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has 
>>>> ldap support 
>>>> 
>>>>           ldap admin dn 
>>>>           ldap group suffix 
>>>>           ldap idmap suffix 
>>>>           ldap machine suffix 
>>>>           ldap passwd sync 
>>>>           ldap suffix 
>>>>           ldap user suffix 
>>>> 
>>>> Does it work with IPA ? 
>>>> 
>>>> Thanks. 
>>>> 
>> 
>> 
>> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161011/a974d71c/attachment.htm>

More information about the Freeipa-users mailing list