El mié, 23-09-2009 a las 19:50 +0200, Tomasz Z. Napierala escribió:
> Dnia 2009-09-23, śro o godzinie 17:19 +0200, Simo Sorce pisze:
> > On Wed, 2009-09-23 at 10:46 +0200, Tomasz Z. Napierala wrote:
> > > Hi,
> > > 
> > > I'm currently deploying IPA in our server infrastructure and I came
> > > across one particular problem.
> > > I have several development servers hooked up to IPA. Devs are locally
> > > developing code on them, accessing it through Samba shares. We have like
> > > 120+ devs currently working, so it's a big hassle to manually create smb
> > > accounts, while there's IPA providing logins and passwords. Is there any
> > > way to sync samba passwords with IPA.
> > 
> > If you keep samba passwords in Ldap, IPA can automatically generate LM
> > and NT hashes. All you need is the sambaSamAccount objectclass on the
> > user object.
> Thank you Simo. Do I have to manually extend schema or is there any
> semi-automatic way to achieve that?

We integrate freeipa and samba 3 having freeipa generating automatically
the sambaSID for users and groups.

First step, you need to modify cn=ipaconfig to have freeipa add the
appropriate objectclasses:

ldapmodify <<EOF
dn: cn=ipaconfig,cn=etc,dc=yourdomain
changetype: modify
add: ipaUserObjectClasses
ipaUserObjectClasses: sambaSAMAccount
add: ipaGroupObjectClasses
ipaGroupObjectClasses: sambaGroupMapping

Second you may configure the ipa-dna (or dna) plugin to generate
sambasids for users and groups. Something like (using 389's dna plugin):

ldapadd -x -D "cn=Directory Manager" -W <<EOF
dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnainterval: 1
dnamagicregen: assign
dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=lgs,dc=com,dc=ve
cn: SambaSid
dnanextvalue: 15277

dn: cn=sambaGroupType,cn=Distributed Numeric Assignment 
objectClass: top
objectClass: extensibleObject
cn: sambaGroupType
dnatype: sambaGroupType
dnainterval: 0
dnamagicregen: ASSIGN
dnafilter: (objectClass=sambaGroupMapping)
dnanextvalue: 2

NOTE 1, you have to change the dnaprefix attribute to match the sambaSID
of your domain, which you can get with the command "net rpc getlocalsid"

NOTE 2, to mantain kerberos and samba password correctly in sync you
have to add the "ldap passwd sync = only" parameters
to /etc/samba/smb.conf and you have to use a secure channel between
samba and 389 ds, which could be ldaps, ldap + tls, or ldapi.

On a side note to samba / freeipa developers, as is planned that freeipa
will use the 389 DS password policies, it would be very nice if samba
had a "389ds" passdb backend so one could have centralized password and
account policies whenever talking to the directory server, be it via
ldap, via kerberos or via samba.

Loris Santamaria   linux user #70506       xmpp:lo...@lgs.com.ve
Links Global Services, C.A.                http://www.lgs.com.ve
Tel: +58 286 952.06.87 Cel: +58 414 095.00.10 sip:1...@lgs.com.ve
-O9 -omg-optimize -fomit-instructions

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Freeipa-users mailing list

Reply via email to