[Freeipa-users] Samba Server setup

Alexander Bokovoy abokovoy at redhat.com
Wed Sep 21 15:49:00 UTC 2016 

On Wed, 21 Sep 2016, Brook, Andy [CRI] wrote:
>On 9/16/16, 12:02 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
>    On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
>    >    You can replace actual hostnames/realm names/IP addresses by something more generic
>    >    in the output when sending to the list, but please do it consistently.
>    >
>    >I’m sorry. I thought I had been consistent when making changes, but
>    >from your response, it looks like I wasn’t. I’m sorry about that. I got
>    >yelled at by our security team last time we sent logs to a public list
>    >that had any type of identifiable information in them, so it’s sort of
>    >a new process for me. I think I have it down now.
>    >
>    >The results of the commands are here: http://pastebin.com/PRwr7wv6
>    So IPA side works fine -- on IPA client you can kinit as AD user and
>    then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
>    request a service ticket to cifs/... service. That's good.
>
>    You need to identify what happens on AD side. A possible issue is that
>    name suffix routing to IPA domain is disabled.
>
>    Can you provide output of netdom.exe run on Windows side:
>
>      netdom trust addom.domain /namesuffixes: ipa.domain
>
>    You should get something like example 28 on the page
>    https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx
>
>Thank you for this. I went to run the command and kept getting an
>“Incorrect parameter” error. After that I talked to one of our Active
>Directory admins and he mentioned that we are working on resolving a
>disjoint namespace error on addom. I don’t understand enough about it,
>but do know that it can cause issues with Kerberos authentication
>across domains. That should get fixed soon. Once that gets fixed, I’ll
>test again.
>
>I have one more related question. The instruction page states that
>NTLMSSP authentication isn’t working as of yet, as well as you
>mentioned it earlier in this thread. Is there a bug or feature request
>that is tracking that?
https://fedorahosted.org/sssd/ticket/2012 is a tracker. We have
gss-ntlmssp implemented but it depends on winbindd and there are things
which are not done yet in making sssd/winbindd co-working.

We had few talks about possible ways to integrate around that topic at
SambaXP 2016 conference:
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Simo_Sorce-SambaAndLinuxDistributionsLetsIntegrateBetter.pdf
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Sumit_Bose-WinbindAndSSSDCanTheyBeFriends/

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list