On ke, 17 huhti 2019, Vex Mage via FreeIPA-users wrote:
Hello,
I've personally been using FreeIPA for some time and I love it
immensely. I thought I'd start a post here due to the direction my
troubleshooting has gone instead of the Samba mailing list. Allow me to
explain what I've done, why I've done it and then the problem I'm having.
I just recently started working for a school and the school has some
Windows labs. A problem that has come to my attention is that the OpenLDAP
to Samba3 NT4 domain they've been using for years is no longer compatible
with Windows 10. To dispel any illusion, I'm not trying to get the NT4
domain working nice with Windows 10. Additionally Samba4 has changed its
design structure such that OpenLDAP, or really any LDAP server except
Samba4's internal LDAP server, will no longer work for the Active Directory.
The school would like the Windows machines in the labs to authenticate
students via their OpenLDAP credentials. I am open to alternatives but the
closest thing I found was adding local users on each Windows workstation
and having them authenticate to the FreeIPA server. The problem here is
that users will continually be added and deleted. The Samba project would
have us go all in with Samba4's internal LDAP server. While I'm not
directly knocking that, since from my testing it seems to be quite
functional, the upheaval would be tremendous. Fortunately we were already
looking into switching to 389 before I came on so I've been touting the
possibility of replacing OpenLDAP with FreeIPA before this Samba4 issue. A
solution I thought should work is to use a trust between a FreeIPA (IPA)
and a Samba4 Active Directory (AD). I've since configured both and have
created that trust.
I have a Windows 10 machine connected to the Samba4 domain. When I
attempt to logon with an account from the IPA domain I am presented with
"Insufficient system resources exist to complete the requested service." At
first I took this message at face value and increased the memory of the
workstation from which I'm trying to logon. There are few results from a
Google search about this error without focusing on local memory. After
reading and troubleshooting I believe this is a failure may be in the
Kerberos InitializeSecurityContext function that's producing
SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and
seemingly not coming from Samba4 AD.
FreeIPA users cannot login to Windows boxes at this time. This is
unsupported and never was. See my talk at SambaXP 2017:
https://sambaxp.org/archive_data/SambaXP2017-SLIDES/Day3/Track2/Global%20Catalog%20implementation%20in%20FreeIPA%20-%20Alexander%20Bokovoy.pdf
I had hoped to implement Global Catalog service and other quirks to
allow this but unfortunately other tasks took over. Recently I got a fix
to allow AD DCs to talk to IPA DC over SMB for some requests so some
issues might be mitigated but Windows clients do talk to Global Catalog
unconditionally and, as you can see in my talk at SambaXP, they don't
really test fallbacks from GC operations so it might be a luck at some
point and a fail in other cases.
Hopefully, once I'll finish most of efforts to enable Samba operations on
the domain member, https://github.com/abbra/freeipa/tree/samba-domain-member,
I'll be able to return back to Global Catalog work.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
