<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> My Samba server and IPA server are different machines too. I made LDAP replication IPA-SAMBA ( <a class="moz-txt-link-freetext" href="https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=6">https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=6</a> ). Unfortunately, it makes full replication (not only ldap-server), but it works. My Windows machine are <meta http-equiv="content-type" content="text/html; charset=utf-8"> not joined to a domain. <div class="moz-cite-prefix">12.10.2016 03:43, Alan Latteri пишет: </div> <blockquote cite="mid:E5F25F7A-A84D-4DF1-86DF-7C921BA31EE6@instinctualsoftware.com" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> I am trying to get this to work, but our Samba server is not the same machine as out IPA server, and these instructions seem to assume that. Any ideas? All I need is the 1 windows machine in our network to be able to access our linux based server, using the same user/pass as that of our IPA authenticated linux machines. <div class=""> </div> <div class=""> <div> <blockquote type="cite" class=""> <div class="">On Oct 10, 2016, at 1:35 PM, Степаненко Алексей <<a moz-do-not-send="true" href="mailto:a.stepanenko@gw.spb.ru" class="">a.stepanenko@gw.spb.ru</a>> wrote:</div> <div class=""> <meta content="text/html; charset=utf-8" http-equiv="Content-Type" class=""> <div text="#000000" bgcolor="#FFFFFF" class=""> I read again the topic <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP">http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP</a> It works exactly as I wanted ipa-adtrust-install created next configuration: <meta http-equiv="content-type" content="text/html; charset=utf-8" class=""> $ net conf list [global] workgroup = WORKGROUP netbios name = SMB realm = GW.SPB.RU kerberos method = dedicated keytab dedicated keytab file = <a moz-do-not-send="true" class="moz-txt-link-freetext" href="file:///etc/samba/samba.keytab">FILE:/etc/samba/samba.keytab</a> create krb5 conf = no security = user domain master = yes domain logons = yes log level = 1 max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:<a moz-do-not-send="true" href="ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket" class="">ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket</a> disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=gw,dc=spb,dc=ru ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork But I don't understand why it wasn't put to smb.conf directly. The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " <meta http-equiv="content-type" content="text/html; charset=utf-8" class=""> ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved. <div class="moz-cite-prefix">06.10.2016 23:51, Степаненко Алексей пишет: </div> <blockquote cite="mid:ff9d93a0-a3e8-e989-3c4a-4e832c46427d@gw.spb.ru" type="cite" class="">Thank you for your reply. I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops. I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba. I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things. 06.10.2016 20:31, Loris Santamaria пишет: <blockquote type="cite" class="">The document you are linking to explains how to configure a samba file server in a freeipa domain, which is one of many ways you can configure and use a samba server. What do you want to achieve with samba, and what is your current setup? El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió: <blockquote type="cite" class="">Hello. I've read the topic about FreeIPA and SAMBA <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit">http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit</a> h_IPA If I understand clearly, samba's client must be present in FreeIPA AD. Unfortunately, it does not work for me. I can't join some work desktops to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has ldap support ldap admin dn ldap group suffix ldap idmap suffix ldap machine suffix ldap passwd sync ldap suffix ldap user suffix Does it work with IPA ? Thanks. </blockquote> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </div> -- Manage your subscription for the Freeipa-users mailing list: <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" class="">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project</div> </blockquote> </div> </div> </blockquote> <pre class="moz-signature" cols="72">-- С уважением, Степаненко Алексей, Руководитель группы информационных технологий, ООО "Глобал Веб Групп" Сайт: http//gw.spb.ru Тел.: +7 (812) 409-00-90</pre> </body> </html>