On 02/20/2014 07:25 AM, Johan Petersson wrote:
I do not have access to my lab environment at the moment to help you completely
but this should put you on the right track i hope.
This config enables Home Directories shared through NFS to IPA Linux Clients to
also be accessible to Windows Clients through SAMBA when having a sync
configuration between AD and IPA.
System is a IPA client acting as NFS/SAMBA File Server
The home directory is shared through NFS 4 krb5p and is automounted to Linux
Clients.
I presume that the IPA Client Configuration and NFS 4 shared Home Directories
on the server are working properly already. You also need to have the AD/IPA
sync and passsync working.
Windows AD Server realm is adexample.com
You can have more than one Kerberos realm in you krb5.conf so just add the AD
realm under [realms] and [domain_realm].
[realms]
EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
ADEXAMPLE.COM = {
kdc = ad.adexample.com
admin_server = ad.adexample.com
default_domain = adexample.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
.adexample.com = ADEXAMPLE.COM
adexample.com = ADEXAMPLE.COM
/etc/nsswitch.conf:
passwd: files sss winbind
group: files sss winbind
Try this config in smb.conf
/etc/samba/smb.conf:
workgroup = ADEXAMPLE
security = ads
passdb backend = tdbsam
realm = ADEXAMPLE.COM
encrypt passwords = yes
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072
use sendfile = true
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
valid users = %U
force user = %U
directory mode = 0700
force directory mode = 0700
create mode = 0600
force create mode = 0600
access based share enum = yes
hide unreadable = yes
If you use alternate home directory don't forget to set up SELinux for it
properly with home_root_t/user_home_dir_t/user-home_t.
Allow samba to share home directories:
setsebool _P samba_enable_home_dirs on
Join server to the AD:
net ads join -U administrator
Make sure smb and winbind are started and set to automatic start at reboots.
Test that you get user and group information:
wbinfo -u,getent passwd
wbinfo -g,getent group
Test:
smbclient -L //servername.example.com -U username
smbclient //servername.example.com/username -U username
Try browse and create files/directories and check to see all permissions are
0700/0600 and the right user/group.
Also don't forget to configure the Firewall on the server to allow for SAMBA.
Johan, would you mind creating a HOWTO page on FreeIPA wiki?
Regards,
Johan
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Wednesday, February 19, 2014 01:28
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA
This is what I'd like to do, Linux users have nfs with samba for windows users.
From what I can read however to get smba to work with AD I have to alter
kerberos which is set to IPA...so I dont understand how you have it working.
Currently Im trying to get samba just to work with a password set via smbpasswd
but this is also failing, not sure if its a IPA interference issue or something
else...
regards
Steven J
________________________________________
From: Johan Petersson<johan.peters...@sscspace.com>
Sent: Tuesday, 18 February 2014 8:18 p.m.
To: Steven Jones; freeipa-users@redhat.com; d...@redhat.com
Subject: RE: [Freeipa-users] Setting up samba with IPA
One solution that i have tested myself is to have IPA and AD sync with Samba as
a server in a 2012 R2 Server AD.
For shared directories used both by Windows and Linux clients like Home i used
NFS 4 with Kerberos for Linux and Samba ADS for Windows.
Same user could log in from both Windows and Linux with same password through
winsync and passsync and get secured access with proper permissions on
directories and files.
Tested this setup out while i wait for IPA being able to handle all user
accounts an resources in an IPA - AD trust.
Regards,
Johan
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, February 18, 2014 00:34
To: freeipa-users@redhat.com; d...@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA
Can we be clear here,
Im not after SSO as such, I can sign in with the AD password but that is
failing.
Otherwise if I read you correctly I cant use IPA controlled samba with AD
controlled windows hosts at all?
So Im better to de-IPA samba and go back to the old samba method with a local
password?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University ITS,
Level 8 Rankin Brown Building,
Wellington, NZ
6012
0064 4 463 6272
________________________________________
From: freeipa-users-boun...@redhat.com<freeipa-users-boun...@redhat.com> on behalf
of Dmitri Pal<d...@redhat.com>
Sent: Tuesday, 18 February 2014 12:04 p.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA
On 02/17/2014 05:49 PM, Steven Jones wrote:
Hi,
So what you are saying is AD clients and IPA enabled samba servers dont work as
a solution yet?
Ergo I have to remove IPA off the samba server?
I think the setup when you have sync in place is a bit crafty.
I know that people made it work in the past but with some assumptions
that this is not an SSO.
I mean you can't use a Window system and access Samba FS share when
Samba FS is a member of IPA and IPA is in sync relations because user on
Windows and user in IPA are two different users though they have same
name Samba FS can't match the windows SID of the Windows user to the SID
of the IPA user because there is no SID for IPA user.
But on the other side I know that one can make Samba FS work with IPA,
there have been articles about it. I am not sure what is the expectation
about the clients in this case.
The solution that we are working on is based on the trust. This part is
not ready yet. Once ready Samba FS can be a member of the IPA domain,
IPA would trust AD and then users from AD running Windows systems would
be able to directly use Samba FS. This feature is in development right now.
regards
Steven Jones
________________________________________
From: Alexander Bokovoy<aboko...@redhat.com>
Sent: Tuesday, 18 February 2014 11:21 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Setting up samba with IPA
On Mon, 17 Feb 2014, Steven Jones wrote:
I seem to have got a RHEL6 workstation doing smbclient to an IPA samba
enabled server OK.
Is there a way to limit some users to CIFS only in IPA?
If you file system supports POSIX ACLs then simply set limits at the
file system level, it should work fine.
http://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
Also however my AD connected windows7 machine with winsync and passsync
in place to IPA wont connect. It doesnt seem to like the password....or
user, unsure...
It doesn't like SID of that user and therefore doesn't think it is the
same user. There might be other reasons too, as we still haven't settled
down all bits to enable proper Windows integration for CIFS file
serving.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying
or disseminating it or any information in it. Please notify the above if any
misdirection.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users