Thanks for the suggestions so far! I'm documenting this on this thread because I found out why the previous system had the custom sambaSamAccount attributes: They seem to be necessary to authenticate SMB shares when FreeIPA is the LDAP backend to a Synology NAS. If I try to set LDAP authentication now, I get this error on Synology DSM:
> Issue Details: The LDAP server does not support Samba schema. > ... > Recommended action: Enable CIFS plain text password authentication. [and if you do], this DSM cannot be the remote mount target of CIFS. Some past threads on freeipa-users (mostly for TrueNAS) suggest that the Samba schema attributes are deprecated in favour of something using Kerberos, but I do not get that option in Synology at all. I believe the previous sysadmins of our shop must have followed this guide by Markus Opolka, or a similar HOWTO: https://blog.cubieserver.de/2018/synology-nas-samba-nfs-and-kerberos-with-freeipa-ldap/ That would explain why I couldn't create users with the Web interface in my new FreeIPA (4.11) instance; this guide necessitates manual setting of the Samba attributes via command-line `ipa user-add` flags. However, it is then a mystery to me why user account creation worked via Web interface in the old (4.5) instance. I'm not sure how to proceed here since CIFS mounting is one of our users' primary uses of LDAP in the first place. Maybe I'll recreate the Samba attributes after all, try to restore the previous values from backups, and document properly how to create users with the command-line options. []s Am Mo., 29. Jan. 2024 um 14:52 Uhr schrieb Alexander Bokovoy < [email protected]>: > On Пан, 29 сту 2024, Melissa Ferreira da Silva Boiko via FreeIPA-users > wrote: > >Seems like it has "ipaUserObjectClasses: sambasamaccount" which I see > >mentioned in very old threads about Samba support only. Here's the > >full config: > > Thanks. You can remove sambaSamAccount by running > > $ ipa config-mod --delattr=ipaUserObjectClasses=sambaSamAccount > > Same applies to shadowAccount which we don't use by default either. > > > > >``` > > dn: cn=ipaConfig,cn=etc,dc=example,dc=local > > ipamaxusernamelength: 32 > > ipahomesrootdir: /home > > ipadefaultloginshell: /bin/bash > > ipadefaultprimarygroup: ipausers > > ipadefaultemaildomain: example.com > > ipasearchtimelimit: 2 > > ipasearchrecordslimit: 100 > > ipausersearchfields: uid,givenname,sn,telephonenumber,ou,title > > ipagroupsearchfields: cn,description > > ipamigrationenabled: FALSE > > ipacertificatesubjectbase: O=EXAMPLE.LOCAL > > ipapwdexpadvnotify: 4 > > ipaconfigstring: AllowNThash > > ipaconfigstring: KDC:Disable Last Success > > ipaselinuxusermaporder: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > > ipaselinuxusermapdefault: unconfined_u:s0-s0:c0.c1023 > > ipakrbauthzdata: MS-PAC > > ipakrbauthzdata: nfs:NONE > > ipauserauthtype: disabled > > ipauserauthtype: password > > cn: ipaConfig > > ipaGroupObjectClasses: top > > ipaGroupObjectClasses: groupofnames > > ipaGroupObjectClasses: nestedgroup > > ipaGroupObjectClasses: ipausergroup > > ipaGroupObjectClasses: ipaobject > > ipaMaxHostnameLength: 64 > > ipaUserObjectClasses: top > > ipaUserObjectClasses: person > > ipaUserObjectClasses: organizationalperson > > ipaUserObjectClasses: inetorgperson > > ipaUserObjectClasses: inetuser > > ipaUserObjectClasses: posixaccount > > ipaUserObjectClasses: krbprincipalaux > > ipaUserObjectClasses: krbticketpolicyaux > > ipaUserObjectClasses: ipaobject > > ipaUserObjectClasses: ipasshuser > > ipaUserObjectClasses: sambasamaccount > > ipaUserObjectClasses: shadowAccount > > objectClass: nsContainer > > objectClass: top > > objectClass: ipaGuiConfig > > objectClass: ipaConfigObject > > objectClass: ipaUserAuthTypeClass > > objectClass: ipaNameResolutionData > >``` > > > >Thanks! > >-- > >_______________________________________________ > >FreeIPA-users mailing list -- [email protected] > >To unsubscribe send an email to > [email protected] > >Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
