Thanks for all your help. I'll give it a go and see how far I get. On 30 Apr 2013 19:37, "Alexander Bokovoy" <[email protected]> wrote:
> On Tue, 30 Apr 2013, > simon.williams@thehelpfulcat.**com<[email protected]>wrote: > >> That is actually pretty good news. The real requirement is network >> storage for the Windows workstations secured by FreeIPA authentication. >> If I read what you’ve said correctly this is possible now. I can live >> with the magical incantations to enrol any new Windows machines for >> now. There are a few things that would work better if Windows thought >> it was logging on to a domain, but we have lived without those features >> for the last year. Once a Windows machine has been set up correctly, >> which can be a bit hit and miss, the authentication works flawlessly . >> > To be clear, we have not tested this combination so you'll be in uncharted > waters. > > Since TGT for these users would still be issued by FreeIPA KDC, it would > include MS-PAC with SIDs of these users in FreeIPA domain -- once you > have run ipa-adtrust-install, of course. Thus, smbd on IPA master would > be able to recognize them as FreeIPA users regardless where they come > from -- IPA or Windows machines, as long as Kerberos is in use. > > Any reports of how such setup would actually behave are welcomed. > > It sounds as though I can set up the file server now and then extend it >> to do the AD DC bit when it is ready. >> > > I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo >> anywhere is there? >> > The only requirements for simplistic setup is to: > 1. run file server on IPA master (you can make a dedicated replica for > that) > 2. run ipa-adtrust-install on that master to setup Samba configuration > and enable KDC + directory server to handle SIDs > 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master > uses registry backend to store smb.conf configuration. > > See > http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#** > Using_Samba_shares<http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares> > for sample how to work with 'net conf setparm'. > > For 'valid users' I guess you can use simply user names since these > would be our local ones. > > Again, this is completely untested right now. > > -- > / Alexander Bokovoy >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
