One solution that i have tested myself is to have IPA and AD sync with Samba as 
a server in a 2012 R2 Server AD.
For shared directories used both by Windows and Linux clients like Home i used 
NFS 4 with Kerberos for Linux and Samba ADS for Windows.
Same user could log in from both Windows and Linux with same password through 
winsync and passsync and get secured access with proper permissions on 
directories and files.
Tested this setup out while i wait for IPA being able to handle all user 
accounts an resources in an IPA - AD trust. 

From: [] on 
behalf of Steven Jones []
Sent: Tuesday, February 18, 2014 00:34
Subject: Re: [Freeipa-users] Setting up samba with IPA

Can we be clear here,

Im not after SSO as such, I can sign in with the AD password but that is 

Otherwise if I read you correctly I cant use IPA controlled samba with AD 
controlled windows hosts at all?

So Im better to de-IPA samba and go back to the old samba method with a local 


Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ


0064 4 463 6272

From: <> on 
behalf of Dmitri Pal <>
Sent: Tuesday, 18 February 2014 12:04 p.m.
Subject: Re: [Freeipa-users] Setting up samba with IPA

On 02/17/2014 05:49 PM, Steven Jones wrote:
> Hi,
> So what you are saying is AD clients and IPA enabled samba servers dont work 
> as a solution yet?
> Ergo I have to remove IPA off the samba server?

I think the setup when you have sync in place is a bit crafty.
I know that people made it work in the past but with some assumptions
that this is not an SSO.
I mean you can't use a Window system and access Samba FS share when
Samba FS is a member of IPA and IPA is in sync relations because user on
Windows and user in IPA are two different users though they have same
name Samba FS can't match the windows SID of the Windows user to the SID
of the IPA user because there is no SID for IPA user.
But on the other side I know that one can make Samba FS work with IPA,
there have been articles about it. I am not sure what is the expectation
about the clients in this case.

The solution that we are working on is based on the trust. This part is
not ready yet. Once ready Samba FS can be a member of the IPA domain,
IPA would trust AD and then users from AD running Windows systems would
be able to directly use Samba FS. This feature is in development right now.

> regards
> Steven Jones
> ________________________________________
> From: Alexander Bokovoy<>
> Sent: Tuesday, 18 February 2014 11:21 a.m.
> To: Steven Jones
> Cc:
> Subject: Re: [Freeipa-users] Setting up samba with IPA
> On Mon, 17 Feb 2014, Steven Jones wrote:
>> I seem to have got a RHEL6 workstation doing smbclient to an IPA samba
>> enabled server OK.
>> Is there a way to limit some users to CIFS only in IPA?
> If you file system supports POSIX ACLs then simply set limits at the
> file system level, it should work fine.
>> Also however my AD connected windows7 machine with winsync and passsync
>> in place to IPA wont connect. It doesnt seem to like the password....or
>> user, unsure...
> It doesn't like SID of that user and therefore doesn't think it is the
> same user. There might be other reasons too, as we still haven't settled
> down all bits to enable proper Windows integration for CIFS file
> serving.
> --
> / Alexander Bokovoy
> _______________________________________________
> Freeipa-users mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Freeipa-users mailing list
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying 
or disseminating it or any information in it. Please notify the above if any 

Freeipa-users mailing list

Reply via email to