Hello all,

First post here. I have been researching for quite some time and as a Linux 
user I would list myself as a medium level. Not an expert, but not new. I have 
a FreeIPA Server that is setup as the central identity management server. I 
want to setup two shares within samba using FreeIPA as the auth source. Please 
any and all help is welcomed. I am doing this for learning purposes so an 
pointers are helpful as well. 

Share1: public

Share2: homes

Here are a few sites\articles I have read and tried to glean off of:

I "think" that the problem i'm facing is either a 
permissions\security(firewalld\selinux) or configuration issue. I am not the 
best with SELinux yet, but I do want to use it so turning it off permanently is 
not an option. 

When trying from a windows 7 VM I get the message "You do not have permission 
to access \\samba.domain.com" checking from another Linux client that's already 
on the FreeIPA domain and running as the admin user I get this message:

[root@Desktop ~]# kinit admin
Password for ad...@domain.com: 
[root@Desktop ~]# smbclient -k -L samba.domain.com
session setup failed: NT_STATUS_ACCESS_DENIED
[root@Desktop ~]# smbclient -k //samba.domain.com/public
session setup failed: NT_STATUS_ACCESS_DENIED

Below are the steps I have taken to attempt my setup...

[root@samba ~]# yum install ipa-client sssd-libwclient samba samba-client
[root@samba ~]# ipa-client-install --mkhomedir --force-ntpd
Discovery was successful!
Client hostname: samba.domain.com
DNS Domain: domain.com
IPA Server: ldap.domain.com
BaseDN: dc=domain,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for ad...@domain.com: 
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DOMAIN.COM
Issuer: CN=Certificate Authority,O=DOMAIN.COM
Valid From: 2017-09-22 16:17:45
Valid Until: 2037-09-22 16:17:45


[root@samba ~]# kinit admin
Password for ad...@pwg-world.com: 
[root@samba ~]# authconfig --enablesssdauth --enablemkhomedir --update
[root@samba ~]# man ipa-getkeytab
[root@samba ~]# ipa-getkeytab -s ldap.pwg-world.com -p cifs/samba.pwg-world.com 
-k /etc/samba/samba.keytab
Keytab successfully retrieved and stored in: /etc/samba/samba.keytab
[root@samba ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp
[root@samba ~]# vi /etc/samba/smb.conf

workgroup = DOMAIN
realm = DOMAIN.COM
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
security = ads

browsable = no
writable = yes

path = /home/shared
writable = yes
browsable = yes
write list = @admins

path = /public
writable = yes
browsable = yes
valid users = @ipausers

[root@samba ~]# setsebool -P samba_enable_home_dirs on
[root@samba ~]# semanage fcontext -a -t samba_share_t "/public(/.*)?"
[root@samba ~]# restorecon -Rv /public
restorecon reset /public context 
[root@samba ~]# firewall-cmd --permanent --add-service=samba
[root@samba ~]# firewall-cmd --reload

For the ldap portion:
[root@ldap ~]# kinit admin
Password for ad...@domain.com: 
[root@ldap ~]# ipa service-add cifs/samba.domain.com
Added service "cifs/samba.domain....@domain.com"
Principal name: cifs/samba.domain....@domain.com
Principal alias: cifs/samba.domain....@domain.com
Managed by: samba.domain.com

FreeIPA Server Version:
[root@ldap ~]# rpm -qa | grep ipa-server

FreeIPA Client Version:
[root@samba ~]# rpm -qa | grep ipa-client
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to