[Freeipa-users] FreeIPA as Samba Backend, Existing Users Fail

Youenn PIOLET piolet.y at gmail.com
Thu Jan 19 00:27:57 UTC 2017 

Hi,

ipa-adtrust-install populates the ipaNTHash in LDAP for each user/group,
but you still need a samba backend to read these new attributes.
Do you use ipasam.so ?
If you don't, you should recompile your version of FreeIPA, move ipasam.so
to your password backend directory containing other .so files, and put this
in your smb.conf :

passdb backend = ldapsam:ldap//ipaserver


Procedure / best practices may have change now, if anyone from redhat is
around to confirm...
I just can tell it's working with any Centos 7 and FreeIPA > 4.1.4 server.

--
Youenn Piolet
piolet.y at gmail.com


2017-01-13 19:33 GMT+01:00 Armaan Esfahani <armaan.esfahani at advancedopen.com
>:

> Upon running the ldapmodify command, I receive an “ldap_bind: No such
> object (32)” error, any suggesions?
>
>
>
> On 1/13/17, 8:37 AM, "Sumit Bose" <freeipa-users-bounces at redhat.com on
> behalf of sbose at redhat.com> wrote:
>
>
>
>     On Wed, Jan 11, 2017 at 04:00:57PM -0500, Armaan Esfahani wrote:
>
>     > Hi, I have setup a Samba server to use FreeIPA as a password
> backend, however whenever I try to use existing users to login I get
> “NT_STATUS_LOGON_FAILURE”.
>
>     >
>
>     > Looking at the sssd_nss log on my ipa server, I get the following
> error “(Wed Jan 11 15:56:11 2017) [sssd[nss]] [fill_sid] (0x0020): Missing
> SID.”  On all existing accounts, whereas all new accounts function properly
> (after resetting their passwords).
>
>     >
>
>     >
>
>     >
>
>     > Anyone have any ideas?
>
>
>
>     Maybe the sidgen task was run during ipa-adtrust-install, please see
>
>     https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Windows_Integration_Guide/creating-
> trusts.html#create-trust-existing-idm
>
>     how to run it.
>
>
>
>     HTH
>
>
>
>     bye,
>
>     Sumit
>
>
>
>     >
>
>
>
>     > --
>
>     > Manage your subscription for the Freeipa-users mailing list:
>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>     > Go to http://freeipa.org for more info on the project
>
>
>
>     --
>
>     Manage your subscription for the Freeipa-users mailing list:
>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>     Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170119/500d3224/attachment.htm>

More information about the Freeipa-users mailing list