[Freeipa-users] FreeIPA and Samba

Aleksey Stepanenko a.stepanenko at gw.spb.ru
Wed Oct 12 08:22:52 UTC 2016 

My Samba server and IPA server are different machines too. I made LDAP 
replication IPA-SAMBA ( 
https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=6 ). 
Unfortunately, it makes full replication (not only ldap-server), but it 
works. My Windows machine are not joined to a domain.


12.10.2016 03:43, Alan Latteri пишет:
> I am trying to get this to work, but our Samba server is not the same 
> machine as out IPA server, and these instructions seem to assume that. 
>  Any ideas?  All I need is the 1 windows machine in our network to be 
> able to access our linux based server, using the same user/pass as 
> that of our IPA authenticated linux machines.
>
>
>> On Oct 10, 2016, at 1:35 PM, Степаненко Алексей 
>> <a.stepanenko at gw.spb.ru <mailto:a.stepanenko at gw.spb.ru>> wrote:
>>
>> I read again the topic 
>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP
>> It works exactly as I wanted
>>
>>  ipa-adtrust-install created next configuration:
>>
>> $ net conf list
>> [global]
>>         workgroup = WORKGROUP
>>         netbios name = SMB
>>         realm = GW.SPB.RU
>>         kerberos method = dedicated keytab
>>         dedicated keytab file = FILE:/etc/samba/samba.keytab
>>         create krb5 conf = no
>>         security = user
>>         domain master = yes
>>         domain logons = yes
>>         log level = 1
>>         max log size = 100000
>>         log file = /var/log/samba/log.%m
>>         passdb backend = 
>> ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
>>         disable spoolss = yes
>>         ldapsam:trusted = yes
>>         ldap ssl = off
>>         ldap suffix = dc=gw,dc=spb,dc=ru
>>         ldap user suffix = cn=users,cn=accounts
>>         ldap group suffix = cn=groups,cn=accounts
>>         ldap machine suffix = cn=computers,cn=accounts
>>         rpc_server:epmapper = external
>>         rpc_server:lsarpc = external
>>         rpc_server:lsass = external
>>         rpc_server:lsasd = external
>>         rpc_server:samr = external
>>         rpc_server:netlogon = external
>>         rpc_server:tcpip = yes
>>         rpc_daemon:epmd = fork
>>         rpc_daemon:lsasd = fork
>>
>> But I don't understand why it wasn't put to smb.conf directly.
>>
>> The second problem is 'passdb backend'. I didn't find any 
>> documentation about this module. An attempt to replace a file socket 
>> on net connection was failed. And I had to make LDAP replication. It 
>> was easy, but " ipa-replica-prepare" installed whole IPA server 
>> (tomcat, java, ldap), not only ldap-server. I need to continue to 
>> read documentation. However the problem was solved.
>>
>> 06.10.2016 23:51, Степаненко Алексей пишет:
>>> Thank you for your reply.
>>>
>>> I've got Samba server for a company, accounts are created by hand. 
>>> Clients are different windows or linux desktops.
>>>
>>> I want to install FreeIPA and have one area for managing accounts 
>>> (SMB, SSH-access for others servers). Now, I prepare clean samba 
>>> installation for testing. It would be great to use FreeIPA as 
>>> authorization server for samba.
>>>
>>> I was looking for information about samba + freeIPA, but I found 
>>> only this document. Maybe, I miss obvious things.
>>>
>>>
>>> 06.10.2016 20:31, Loris Santamaria пишет:
>>>> The document you are linking to explains how to configure a samba file
>>>> server in a freeipa domain, which is one of many ways you can 
>>>> configure
>>>> and use a samba server.
>>>>
>>>> What do you want to achieve with samba, and what is your current 
>>>> setup?
>>>>
>>>>
>>>> El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió:
>>>>> Hello.
>>>>>
>>>>> I've read the topic about FreeIPA and SAMBA
>>>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
>>>>> h_IPA
>>>>>
>>>>> If I understand clearly, samba's client must be present in
>>>>> FreeIPA  AD.
>>>>> Unfortunately, it does not work for me. I can't join some work
>>>>> desktops
>>>>> to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
>>>>> ldap support
>>>>>
>>>>>           ldap admin dn
>>>>>           ldap group suffix
>>>>>           ldap idmap suffix
>>>>>           ldap machine suffix
>>>>>           ldap passwd sync
>>>>>           ldap suffix
>>>>>           ldap user suffix
>>>>>
>>>>> Does it work with IPA ?
>>>>>
>>>>> Thanks.
>>>>>
>>>
>>>
>>>
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

-- 
С уважением,
Степаненко Алексей,
Руководитель группы информационных технологий,
ООО "Глобал Веб Групп"
Сайт: http//gw.spb.ru
Тел.: +7 (812) 409-00-90

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161012/08c22c6a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3709 bytes
Desc: �������������������������� ������������ S/MIME
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161012/08c22c6a/attachment.p7s>

More information about the Freeipa-users mailing list