On Tue, 30 Apr 2013, Alexander Bokovoy wrote:
On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote:
That is actually pretty good news.  The real requirement is network
storage for the Windows workstations secured by FreeIPA authentication.
If I read what you’ve said correctly this is possible now.  I can live
with the magical incantations to enrol any new Windows machines for
now.  There are a few things that would work better if Windows thought
it was logging on to a domain, but we have lived without those features
for the last year.  Once a Windows machine has been set up correctly,
which can be a bit hit and miss, the authentication works flawlessly .
To be clear, we have not tested this combination so you'll be in uncharted

Since TGT for these users would still be issued by FreeIPA KDC, it would
include MS-PAC with SIDs of these users in FreeIPA domain -- once you
have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
be able to recognize them as FreeIPA users regardless where they come
from -- IPA or Windows machines, as long as Kerberos is in use.

Any reports of how such setup would actually behave are welcomed.

It sounds as though I can set up the file server now and then extend it
to do the AD DC bit when it is ready.

I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
anywhere is there?
The only requirements for simplistic setup is to:
1. run file server on IPA master (you can make a dedicated replica for that)
2. run ipa-adtrust-install on that master to setup Samba configuration
  and enable KDC + directory server to handle SIDs
3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
  uses registry backend to store smb.conf configuration.

for sample how to work with 'net conf setparm'.

For 'valid users' I guess you can use simply user names since these
would be our local ones.

Again, this is completely untested right now.
So, I tried quick test for this, using admins group:

1. Setup shared space, apply SELinux context and modify ACLs:
[root@red samba-4.0.5]# mkdir /srv/testshare
[root@red samba-4.0.5]# chcon -t samba_share_t /srv/testshare
[root@red samba-4.0.5]# setfacl -m g:admins:rwx  /srv/testshare
[root@red samba-4.0.5]# getfacl /srv/testshare
getfacl: Removing leading '/' from absolute path names
# file: srv/testshare
# owner: root
# group: root

2. Create actual Samba share:
[root@red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y 

3. Obtain TGT for Kerberos identity (admin, belongs to admins group):
[root@red samba-4.0.5]# kinit
Password for admin@BIRD.CLONE: [root@red samba-4.0.5]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@BIRD.CLONE

Valid starting       Expires              Service principal
30.04.2013 22:10:13  01.05.2013 22:10:11  krbtgt/BIRD.CLONE@BIRD.CLONE

Now try connecting to //red.bird.clone/testshare and use it (I've copied
few files in several sessions, showing last one):

[root@red samba-4.0.5]# smbclient -k //red.bird.clone/testshare
lp_load_ex: changing to config backend registry
Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5]
smb: \> dir
  .                                   D        0  Tue Apr 30 22:06:51 2013
  ..                                  D        0  Tue Apr 30 21:40:04 2013
  foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
  README                              A     7998  Tue Apr 30 22:06:51 2013

                40918 blocks of size 262144. 19277 blocks available
smb: \> put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s)
smb: \> dir
  .                                   D        0  Tue Apr 30 22:10:35 2013
  ..                                  D        0  Tue Apr 30 21:40:04 2013
  WHATSNEW.txt                        A    47112  Tue Apr 30 22:10:35 2013
  foobar.txt                          N        0  Tue Apr 30 21:51:54 2013
  README                              A     7998  Tue Apr 30 22:06:51 2013

                40918 blocks of size 262144. 19277 blocks available
smb: \>

Check status of the last copied file, notice permissions and SELinux
[root@red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: ‘/srv/testshare/WHATSNEW.txt’
  Size: 47112           Blocks: 96         IO Block: 4096   regular file
Device: fc03h/64515d    Inode: 153050      Links: 1
Access: (0744/-rwxr--r--)  Uid: (1564400000/   admin)   Gid: (1564400000/  
Context: system_u:object_r:samba_share_t:s0
Access: 2013-04-30 22:10:35.484270784 +0300
Modify: 2013-04-30 22:10:35.580239030 +0300
Change: 2013-04-30 22:10:35.579270116 +0300
 Birth: -

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to