[Freeipa-users] Samba Server setup
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 21 15:49:00 UTC 2016
On Wed, 21 Sep 2016, Brook, Andy [CRI] wrote:
>On 9/16/16, 12:02 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
> On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote:
> > You can replace actual hostnames/realm names/IP addresses by something more generic
> > in the output when sending to the list, but please do it consistently.
> >
> >I’m sorry. I thought I had been consistent when making changes, but
> >from your response, it looks like I wasn’t. I’m sorry about that. I got
> >yelled at by our security team last time we sent logs to a public list
> >that had any type of identifiable information in them, so it’s sort of
> >a new process for me. I think I have it down now.
> >
> >The results of the commands are here: http://pastebin.com/PRwr7wv6
> So IPA side works fine -- on IPA client you can kinit as AD user and
> then obtain cross-realm TGT to IPA realm and use that cross-realm TGT to
> request a service ticket to cifs/... service. That's good.
>
> You need to identify what happens on AD side. A possible issue is that
> name suffix routing to IPA domain is disabled.
>
> Can you provide output of netdom.exe run on Windows side:
>
> netdom trust addom.domain /namesuffixes: ipa.domain
>
> You should get something like example 28 on the page
> https://msdn.microsoft.com/en-us/library/cc776879(v=ws.10).aspx
>
>Thank you for this. I went to run the command and kept getting an
>“Incorrect parameter” error. After that I talked to one of our Active
>Directory admins and he mentioned that we are working on resolving a
>disjoint namespace error on addom. I don’t understand enough about it,
>but do know that it can cause issues with Kerberos authentication
>across domains. That should get fixed soon. Once that gets fixed, I’ll
>test again.
>
>I have one more related question. The instruction page states that
>NTLMSSP authentication isn’t working as of yet, as well as you
>mentioned it earlier in this thread. Is there a bug or feature request
>that is tracking that?
https://fedorahosted.org/sssd/ticket/2012 is a tracker. We have
gss-ntlmssp implemented but it depends on winbindd and there are things
which are not done yet in making sssd/winbindd co-working.
We had few talks about possible ways to integrate around that topic at
SambaXP 2016 conference:
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Simo_Sorce-SambaAndLinuxDistributionsLetsIntegrateBetter.pdf
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/wed/sambaxp2016-wed-Sumit_Bose-WinbindAndSSSDCanTheyBeFriends/
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list