Hello all,

First post here. I have been researching for quite some time and as a Linux 
user I would list myself as a medium level. Not an expert, but not new. I have 
a FreeIPA Server that is setup as the central identity management server. I 
want to setup two shares within samba using FreeIPA as the auth source. Please 
any and all help is welcomed. I am doing this for learning purposes so an 
pointers are helpful as well. 

Share1: public

Share2: homes

Here are a few sites\articles I have read and tried to glean off of:
https://www.freeipa.org/page/Howto/I...erver_With_IPA
https://bgstack15.wordpress.com/2017...-freeipa-auth/
https://centos.org/forums/viewtopic.php?f=50&t=61110
https://www.centos.org/docs/5/html/D...a-servers.html


I "think" that the problem i'm facing is either a 
permissions\security(firewalld\selinux) or configuration issue. I am not the 
best with SELinux yet, but I do want to use it so turning it off permanently is 
not an option. 

When trying from a windows 7 VM I get the message "You do not have permission 
to access \\samba.domain.com" checking from another Linux client that's already 
on the FreeIPA domain and running as the admin user I get this message:

[root@Desktop ~]# kinit admin
Password for ad...@domain.com: 
[root@Desktop ~]# smbclient -k -L samba.domain.com
session setup failed: NT_STATUS_ACCESS_DENIED
[root@Desktop ~]# smbclient -k //samba.domain.com/public
session setup failed: NT_STATUS_ACCESS_DENIED

Below are the steps I have taken to attempt my setup...

[root@samba ~]# yum install ipa-client sssd-libwclient samba samba-client
[root@samba ~]# ipa-client-install --mkhomedir --force-ntpd
Discovery was successful!
Client hostname: samba.domain.com
Realm: DOMAIN.COM
DNS Domain: domain.com
IPA Server: ldap.domain.com
BaseDN: dc=domain,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for ad...@domain.com: 
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DOMAIN.COM
Issuer: CN=Certificate Authority,O=DOMAIN.COM
Valid From: 2017-09-22 16:17:45
Valid Until: 2037-09-22 16:17:45

....
....
......

[root@samba ~]# kinit admin
Password for ad...@pwg-world.com: 
[root@samba ~]# authconfig --enablesssdauth --enablemkhomedir --update
[root@samba ~]# man ipa-getkeytab
[root@samba ~]# ipa-getkeytab -s ldap.pwg-world.com -p cifs/samba.pwg-world.com 
-k /etc/samba/samba.keytab
Keytab successfully retrieved and stored in: /etc/samba/samba.keytab
[root@samba ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp
[root@samba ~]# vi /etc/samba/smb.conf
~~~~~~~~~~~~~~~~~~~~~~/etc/samba/smb.conf~~~~~~~~~~~~~~~~~~~~~~
[global]

workgroup = DOMAIN
realm = DOMAIN.COM
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
security = ads

[homes]
browsable = no
writable = yes

[shared]
path = /home/shared
writable = yes
browsable = yes
write list = @admins

[public]
path = /public
writable = yes
browsable = yes
valid users = @ipausers

~~~~~~~~~~~~~~~~~~~~~~/etc/samba/smb.conf~~~~~~~~~~~~~~~~~~~~~~
[root@samba ~]# setsebool -P samba_enable_home_dirs on
[root@samba ~]# semanage fcontext -a -t samba_share_t "/public(/.*)?"
[root@samba ~]# restorecon -Rv /public
restorecon reset /public context 
system_u:object_r:public_content_rw_t:s0->system_u:object_r:samba_share_t:s0
[root@samba ~]# firewall-cmd --permanent --add-service=samba
success
[root@samba ~]# firewall-cmd --reload
success

For the ldap portion:
[root@ldap ~]# kinit admin
Password for ad...@domain.com: 
[root@ldap ~]# ipa service-add cifs/samba.domain.com
------------------------------------------------------
Added service "cifs/samba.domain....@domain.com"
------------------------------------------------------
Principal name: cifs/samba.domain....@domain.com
Principal alias: cifs/samba.domain....@domain.com
Managed by: samba.domain.com

FreeIPA Server Version:
[root@ldap ~]# rpm -qa | grep ipa-server
ipa-server-trust-ad-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
ipa-server-dns-4.5.0-21.el7.centos.1.2.noarch

FreeIPA Client Version:
[root@samba ~]# rpm -qa | grep ipa-client
ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
ipa-client-4.5.0-21.el7.centos.1.2.x86_64
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to