On 02/20/2014 07:25 AM, Johan Petersson wrote:
I do not have access to my lab environment at the moment to help you completely 
but this should put you on the right track i hope.

This config enables Home Directories shared through NFS to IPA Linux Clients to 
also be accessible to Windows Clients through SAMBA when having a sync 
configuration between AD and IPA.

System is a IPA client acting as NFS/SAMBA File Server
The home directory is shared through NFS 4 krb5p and is automounted  to Linux 
Clients.
I presume that the IPA Client Configuration and NFS 4 shared Home Directories 
on the server are working properly already. You also need to have the AD/IPA 
sync and passsync working.

Windows AD Server realm is adexample.com

You can have more than one Kerberos realm in you krb5.conf so just add the AD 
realm under [realms] and [domain_realm].

[realms]
   EXAMPLE.COM = {
     pkinit_anchors = FILE:/etc/ipa/ca.crt
   }
   ADEXAMPLE.COM = {
         kdc = ad.adexample.com
         admin_server = ad.adexample.com
         default_domain = adexample.com
}
[domain_realm]
   .example.com = EXAMPLE.COM
   example.com = EXAMPLE.COM
   .adexample.com = ADEXAMPLE.COM
   adexample.com = ADEXAMPLE.COM

/etc/nsswitch.conf:

passwd: files sss winbind
group: files sss winbind

Try this config in smb.conf
/etc/samba/smb.conf:

        workgroup = ADEXAMPLE

         security = ads
         passdb backend = tdbsam
         realm = ADEXAMPLE.COM
         encrypt passwords = yes
         domain master = no
         local master = no
         preferred master = no
         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 
SO_SNDBUF=131072
         use sendfile = true
         idmap config * : backend = tdb
         idmap config * : range = 100000-299999
         idmap config TEST : backend = rid
         idmap config TEST : range = 10000-99999

         winbind separator = +
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind nested groups = yes
         winbind refresh tickets = yes
         template homedir = /home/%U
         template shell = /bin/bash
         client use spnego = yes
         client ntlmv2 auth = yes
         restrict anonymous = 2


[homes]
         comment = Home Directories
         path = /home/%U
         browseable = no
         writable = yes
         valid users = %U
         force user = %U
         directory mode = 0700
         force directory mode = 0700
         create mode = 0600
         force create mode = 0600
         access based share enum = yes
         hide unreadable = yes

If you use alternate home directory don't forget to set up SELinux for it 
properly with home_root_t/user_home_dir_t/user-home_t.

Allow samba to share home directories:

setsebool _P samba_enable_home_dirs on

Join server to the AD:
net ads join -U administrator

Make sure smb and winbind are started and set to automatic start at reboots.

Test that you get user and group information:
wbinfo -u,getent passwd
wbinfo -g,getent group

Test:
smbclient -L //servername.example.com -U username

smbclient //servername.example.com/username -U username

Try browse and create files/directories and check to see all permissions are 
0700/0600 and the right user/group.
Also don't forget to configure the Firewall on the server to allow for SAMBA.

Johan, would you mind creating a HOWTO page on FreeIPA wiki?


Regards,
Johan
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Wednesday, February 19, 2014 01:28
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA

This is what I'd like to do, Linux users have nfs with samba for windows users. 
 From what I can read however to get smba to work with AD I have to alter 
kerberos which is set to IPA...so I dont understand how you have it working.

Currently Im trying to get samba just to work with a password set via smbpasswd 
but this is also failing, not sure if its a IPA interference issue or something 
else...


regards

Steven J
________________________________________
From: Johan Petersson<johan.peters...@sscspace.com>
Sent: Tuesday, 18 February 2014 8:18 p.m.
To: Steven Jones; freeipa-users@redhat.com; d...@redhat.com
Subject: RE: [Freeipa-users] Setting up samba with IPA

One solution that i have tested myself is to have IPA and AD sync with Samba as 
a server in a 2012 R2 Server AD.
For shared directories used both by Windows and Linux clients like Home i used 
NFS 4 with Kerberos for Linux and Samba ADS for Windows.
Same user could log in from both Windows and Linux with same password through 
winsync and passsync and get secured access with proper permissions on 
directories and files.
Tested this setup out while i wait for IPA being able to handle all user 
accounts an resources in an IPA - AD trust.

Regards,
Johan
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, February 18, 2014 00:34
To: freeipa-users@redhat.com; d...@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA

Can we be clear here,

Im not after SSO as such, I can sign in with the AD password but that is 
failing.

Otherwise if I read you correctly I cant use IPA controlled samba with AD 
controlled windows hosts at all?

So Im better to de-IPA samba and go back to the old samba method with a local 
password?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com<freeipa-users-boun...@redhat.com>  on behalf 
of Dmitri Pal<d...@redhat.com>
Sent: Tuesday, 18 February 2014 12:04 p.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA

On 02/17/2014 05:49 PM, Steven Jones wrote:
Hi,

So what you are saying is AD clients and IPA enabled samba servers dont work as 
a solution yet?

Ergo I have to remove IPA off the samba server?
I think the setup when you have sync in place is a bit crafty.
I know that people made it work in the past but with some assumptions
that this is not an SSO.
I mean you can't use a Window system and access Samba FS share when
Samba FS is a member of IPA and IPA is in sync relations because user on
Windows and user in IPA are two different users though they have same
name Samba FS can't match the windows SID of the Windows user to the SID
of the IPA user because there is no SID for IPA user.
But on the other side I know that one can make Samba FS work with IPA,
there have been articles about it. I am not sure what is the expectation
about the clients in this case.

The solution that we are working on is based on the trust. This part is
not ready yet. Once ready Samba FS can be a member of the IPA domain,
IPA would trust AD and then users from AD running Windows systems would
be able to directly use Samba FS. This feature is in development right now.

regards

Steven Jones

________________________________________
From: Alexander Bokovoy<aboko...@redhat.com>
Sent: Tuesday, 18 February 2014 11:21 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA

On Mon, 17 Feb 2014, Steven Jones wrote:
I seem to have got a RHEL6 workstation doing smbclient to an IPA samba
enabled server OK.


Is there a way to limit some users to CIFS only in IPA?
If you file system supports POSIX ACLs then simply set limits at the
file system level, it should work fine.

http://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html

Also however my AD connected windows7 machine with winsync and passsync
in place to IPA wont connect. It doesnt seem to like the password....or
user, unsure...
It doesn't like SID of that user and therefore doesn't think it is the
same user. There might be other reasons too, as we still haven't settled
down all bits to enable proper Windows integration for CIFS file
serving.

--
/ Alexander Bokovoy



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying 
or disseminating it or any information in it. Please notify the above if any 
misdirection.




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to