Thanks for all your help. I'll give it a go and see how far I get.
On 30 Apr 2013 19:37, "Alexander Bokovoy" <aboko...@redhat.com> wrote:

> On Tue, 30 Apr 2013, 
> simon.williams@thehelpfulcat.**com<simon.willi...@thehelpfulcat.com>wrote:
>
>> That is actually pretty good news.  The real requirement is network
>> storage for the Windows workstations secured by FreeIPA authentication.
>> If I read what you’ve said correctly this is possible now.  I can live
>> with the magical incantations to enrol any new Windows machines for
>> now.  There are a few things that would work better if Windows thought
>> it was logging on to a domain, but we have lived without those features
>> for the last year.  Once a Windows machine has been set up correctly,
>> which can be a bit hit and miss, the authentication works flawlessly .
>>
> To be clear, we have not tested this combination so you'll be in uncharted
> waters.
>
> Since TGT for these users would still be issued by FreeIPA KDC, it would
> include MS-PAC with SIDs of these users in FreeIPA domain -- once you
> have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
> be able to recognize them as FreeIPA users regardless where they come
> from -- IPA or Windows machines, as long as Kerberos is in use.
>
> Any reports of how such setup would actually behave are welcomed.
>
>  It sounds as though I can set up the file server now and then extend it
>> to do the AD DC bit when it is ready.
>>
>
>  I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
>> anywhere is there?
>>
> The only requirements for simplistic setup is to:
> 1. run file server on IPA master (you can make a dedicated replica for
> that)
> 2. run ipa-adtrust-install on that master to setup Samba configuration
>    and enable KDC + directory server to handle SIDs
> 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
>    uses registry backend to store smb.conf configuration.
>
> See
> http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#**
> Using_Samba_shares<http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares>
> for sample how to work with 'net conf setparm'.
>
> For 'valid users' I guess you can use simply user names since these
> would be our local ones.
>
> Again, this is completely untested right now.
>
> --
> / Alexander Bokovoy
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to