El mié, 23-09-2009 a las 19:50 +0200, Tomasz Z. Napierala escribió: > Dnia 2009-09-23, śro o godzinie 17:19 +0200, Simo Sorce pisze: > > On Wed, 2009-09-23 at 10:46 +0200, Tomasz Z. Napierala wrote: > > > Hi, > > > > > > I'm currently deploying IPA in our server infrastructure and I came > > > across one particular problem. > > > I have several development servers hooked up to IPA. Devs are locally > > > developing code on them, accessing it through Samba shares. We have like > > > 120+ devs currently working, so it's a big hassle to manually create smb > > > accounts, while there's IPA providing logins and passwords. Is there any > > > way to sync samba passwords with IPA. > > > > If you keep samba passwords in Ldap, IPA can automatically generate LM > > and NT hashes. All you need is the sambaSamAccount objectclass on the > > user object. > > Thank you Simo. Do I have to manually extend schema or is there any > semi-automatic way to achieve that?
We integrate freeipa and samba 3 having freeipa generating automatically the sambaSID for users and groups. First step, you need to modify cn=ipaconfig to have freeipa add the appropriate objectclasses: ldapmodify <<EOF dn: cn=ipaconfig,cn=etc,dc=yourdomain changetype: modify add: ipaUserObjectClasses ipaUserObjectClasses: sambaSAMAccount - add: ipaGroupObjectClasses ipaGroupObjectClasses: sambaGroupMapping EOF Second you may configure the ipa-dna (or dna) plugin to generate sambasids for users and groups. Something like (using 389's dna plugin): ldapadd -x -D "cn=Directory Manager" -W <<EOF dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-X-XXXXX-XXXXXXX-XXXXXXXX- dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping)) dnascope: dc=lgs,dc=com,dc=ve cn: SambaSid dnanextvalue: 15277 dn: cn=sambaGroupType,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: sambaGroupType dnatype: sambaGroupType dnainterval: 0 dnamagicregen: ASSIGN dnafilter: (objectClass=sambaGroupMapping) dnanextvalue: 2 EOF NOTE 1, you have to change the dnaprefix attribute to match the sambaSID of your domain, which you can get with the command "net rpc getlocalsid" NOTE 2, to mantain kerberos and samba password correctly in sync you have to add the "ldap passwd sync = only" parameters to /etc/samba/smb.conf and you have to use a secure channel between samba and 389 ds, which could be ldaps, ldap + tls, or ldapi. On a side note to samba / freeipa developers, as is planned that freeipa will use the 389 DS password policies, it would be very nice if samba had a "389ds" passdb backend so one could have centralized password and account policies whenever talking to the directory server, be it via ldap, via kerberos or via samba. -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: +58 286 952.06.87 Cel: +58 414 095.00.10 sip:1...@lgs.com.ve ------------------------------------------------------------ -O9 -omg-optimize -fomit-instructions
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users