[Freeipa-users] Assistance with Samba share intergration with IPA

Loris Santamaria loris at lgs.com.ve
Thu Jan 5 16:54:46 UTC 2017 

Hello, replied inline below

El mié, 28-12-2016 a las 18:15 -0500, William Muriithi escribió:
> Hello
> 
> I am trying to setup a samba share - actually replace winbind on a
> current samba server and I am basing my change on these instructions.
> 
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
> h_IPA
> 
> The IPA servers is version ipa-server-4.4.0-14.el7 and I have trust
> established between AD and IPA.  Samba server is on RHEL 6.8
> 
> Ideally, I would prefer to leave samba on RHEL 6 and it looks like
> RHEL 6 is currently using sssd-1.13.3-22.el6_8.4.x86_64.  According
> to
> above link, you need sssd v1.12.2 and above. Would the version on
> RHEL
> 6 above be bundling sssd-libwbclient by any chance?  If not, is it
> possible to install sssd-libwbclient on RHEL 6?

You could try installing sssd-1.14 from a COPR repo, like https://copr.
fedorainfracloud.org/coprs/g/sssd/sssd-1-14/

> Also, on smb.conf, its a bit ambiguous what REALM need to be used.
> Does one need to use IPA REALM or active directory REALM on these two
> lines below?
> 
>         workgroup = MY
>         realm = MY.REALM

The samba fileserver will be a member of the ipa domain, so you should
use freeipa's kerberos realm in the 'realm' parameter in smb.conf. As
for the 'workgroup' parameter, you can find the appropriate value in
the 'NetBios Name' parameter from the 'ipa trustconfig-show' command
output.

> Lastly, when I followed the above article to setup samba, I got the
> following errors when I attempted to connect to samba from Windows.
> What would be potential places to go check for misconfiguration?
> 
> Dec 28 17:49:41 manganese smbd[30221]: [2016/12/28 17:49:41.503322,
> 0] libads/kerberos_verify.c:75(ads_dedicated_keytab_verify_ticket)
> Dec 28 17:49:41 manganese smbd[30221]:   krb5_rd_req failed (Wrong
> principal in request)
> Dec 28 17:49:41 manganese smbd[30221]: [2016/12/28 17:49:41.507090,
> 0] libads/kerberos_verify.c:75(ads_dedicated_keytab_verify_ticket)
> Dec 28 17:49:41 manganese smbd[30221]:   krb5_rd_req failed (Wrong
> principal in request)

Check that you're using the proper realm and workgroup in smb.conf,
that the principal used by samba is cifs/<server fqdn>@<IPA REALM>

Best regards

-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

More information about the Freeipa-users mailing list