Hi all, I'm still having a lot of not-fun with this o.0 By now I have Yet Another Box, running RHEL 8.6, with samba fully working as "member server" and serving all my shares that it gets by nfs+automount.
Now here's the fun part: I've put openSUSE LEap 15.4 on a VM on that same host, and hooked that VM into my IPA domain and ran ipa-client-samba ... and that samba in that VM runs just fine! After trying to find all traces of samba on my actual server, deleting them, removing that host from my IPA domain and re-adding it and rerunning ipa- client-samba without any success I came to the point where I'm thinking this all might actually be because my IPA is on the same host where samba is not working, but not actually on that host - it's in a docker container running on that host - so the IP adress that ipa itself sees as "my address" is not the same that all the clients see from the outside, so maybe samba on that same physical host somehow talks to the actual IP inside the container because it somehow ignores the ip namespace? Cheers MH Am Mittwoch, 8. Juni 2022, 00:35:48 CEST schrieb Brendan Kearney via FreeIPA- users: > its been a long time since i dug into all the gory bits and bobs of > samba configs, but i have some nifty functionality working via some > go-it-alone ingenuity. I have a fedora box, running samba, and it is > tied to my OpenLDAP/Kerberos/SASL domain via sssd. > > in sssd, i set the id_provider to ldap and use the rfc2307bis schema. > nss, pam, sudo and autofs are all configured and the fixins for ldap_*, > krb5_*, ldap_autofs_* are set to my needs. > > in samba, i set things up so that this box is the only primary/master, > etc. when it comes to security, i set it to USER, but add in all the > realm and kerberos configs. i have the ldap configs pointing to my ldap > instances and proper OUs, but i dont think those are used. note, that i > do have a kerberos keytab setup and do have to manually add each user to > the tdbsam database. the users added to the tdbsam database do not need > a password set, but do need to be enabled, ala "smbpasswd -an $user". > > when i setup my shares, i specify "valid user" and the group name is > preceded with a '+', thereby leveraging pam, instead of ldap for the > group membership. > > effectively, samba pushes ownership and access controls to the pam > stack, which leverages sssd under the covers. thus, my samba access > controls are governed indirectly by the domain/REALM. > > some config stuffs below. note, this is my home setup so ssl/tls is not > setup, and some security may be too lax for production use. > > [global] > workgroup = BPK2.COM > server string = smb.bpk2.com > interfaces = 127.0.0.1, 192.168.253.3/32 > bind interfaces only = Yes > logging = syslog > load printers = No > printing = bsd > printcap name = /dev/null > log file = /var/log/samba/log.%m > max log size = 50 > domain logons = Yes > preferred master = Yes > domain master = Yes > wins proxy = No > wins support = Yes > dns proxy = Yes > disable netbios = Yes > smb ports = 445 > name resolve order = host > remote announce = 192.168.1.255 192.168.24.255 192.168.152.255 > 192.168.184.255 192.168.185.255 192.168.248.255 > remote browse sync = 192.168.1.255 192.168.24.255 > 192.168.152.255 192.168.184.255 192.168.185.255 192.168.248.255 > hosts allow = 127., 192.168.1., 192.168.24., 192.168.152., > 192.168.184., 192.168.185., 192.168.248. > > # performance tuning > socket options = IPTOS_LOWDELAY TCP_NODELAY > min receivefile size = 2048 > use sendfile = true > aio read size = 2048 > aio write size = 2048 > read raw = yes > write raw = yes > getwd cache = yes > oplocks = yes > max xmit = 32768 > dead time = 15 > large readwrite = yes > > security = USER > realm = BPK2.COM > kerberos method = dedicated keytab > dedicated keytab file = /etc/samba/samba.keytab > disable netbios = Yes > > passdb backend = tdbsam > > ldap admin dn = cn=Manager,dc=bpk2,dc=com > ldap group suffix = ou=domainGroups,ou=Groups > ldap machine suffix = ou=Computers > ldap user suffix = ou=domainUsers,ou=Users > ldap suffix = dc=bpk2,dc=com > ldap ssl = no > > idmap config * : backend = ldap > idmap config * : range = 10000 - 19999 > idmap config * : ldap_url = ldap://ldap.bpk2.com/ > idmap config * : ldap_base_dn = dc=bpk2,dc=com > idmap config * : ldap_user_dn = cn=Manager,dc=bpk2,dc=com > > add user script = /usr/sbin/useradd "%u" -n -g users > add group script = /usr/sbin/groupadd "%g" > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" > -M -d /nohome -s /bin/false "%u" > delete user script = /usr/sbin/userdel "%u" > delete user from group script = /usr/sbin/userdel "%u" "%g" > delete group script = /usr/sbin/groupdel "%g" > > nt pipe support = no > > [data] > comment = Data Share > path = /export/data > valid users = +nasData > read only = No > > On 6/7/22 3:08 PM, Alexander Bokovoy via FreeIPA-users wrote: > > > On ti, 07 kesä 2022, Mathias Homann via FreeIPA-users wrote: > > > >> Hi all, > >> > >> > >> > >> I have successfully deployed a FreeIPA server in docker using the > >> image from > >> https://hub.docker.com/r/freeipa/freeipa-server/, and on the linux side > >> everything works just fine - user logins, automount, using IPA as > >> authentication source for AWX and portainer, you name it. > >> > >> > >> > >> Today I have joined my samba server to the ipa realm, and finally > >> turned off > >> nis - and that's where the *** hit the fan: samba isn't working anymore. > >> > >> > >> > >> If I run that samba as standalone I can't connect because it seems > >> that samba > >> (on opensuse) doesn't know how to get user details from sssd, so when > >> I tred > >> to connect I got this: > >> [2022/06/07 17:49:25.744112, 0] ../../source3/passdb/lookup_sid.c: > >> 1633(get_primary_group_sid) > >> Failed to find a Unix account for lemmy > >> > >> > >> > >> So I made my way through https://www.freeipa.org/page/Howto/ > >> Integrating_a_Samba_File_Server_With_IPA but that's not helping either. > >> Now, when I try something like "smbclient -k -L smbserver" I get some > >> weird > >> "session setup failed: NT_STATUS_INVALID_PARAMETER" message on the > >> commandline > >> - but it works just fine when I run the same command against the > >> actual ipa > >> server. > >> Right now I'm using the minimal smb.conf from that website. > >> > >> > >> > >> What am I missing? > > > > > > > > FreeIPA's wiki page with a howto is pretty much outdated. It has mention > > of that but since it is contributed by community members, we have left > > it in place. > > > > > > > > We have -- at least in Fedora and RHEL -- a working Samba domain member > > configuration that is generated by ipa-client-samba tool > > (freeipa-client-samba package in Fedora or ipa-client-samba in RHEL). It > > is based on use of SSSD and Samba with idmap_sss. > > > > > > > > You can read more details on how it is configured at > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-memb > > er.html > > > > > > > and > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-cont > > roller.html > > > > > > > Since this was implemented, Samba further tightened supported > > configurations. Basically, if you are using Kerberos, there are only two > > supported configurations: > > > > > > > > - domain member in AD domain > > - domain member in IPA domain > > > > > > > > In both configurations we use winbindd with specific IDMAP backends: > > 'ad' or 'sss' for AD setup and 'sss' for IPA. Using 'ad' backend is not > > going to work with IPA domain because Samba's idmap_ad expects AD LDAP > > schema and global catalog. > > > > > > > > If you cannot get 'sss' IDMAP module in openSUSE, my only recommendation > > would be to migrate your Samba server to Fedora. This is one of areas > > where tight integration between OS distribution components is important > > to have. > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > ed.org Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure -- Mathias Homann [email protected] Jabber (XMPP): [email protected] Matrix: @mathias:eregion.de IRC: [Lemmy] on freenode and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
