On Fri, 28 Mar 2014, Jason Woods wrote:
(Apologies - resending to the list - I'm so used to the Reply-To already set 
but it appears not to be here my bad.)

On 28 Mar 2014, at 11:32, Petr Spacek <pspa...@redhat.com> wrote:

Please let us know if it worked for you or not. I'm curious! :-)

I'm pretty curious too.

I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I
needed to add two patches though to 3.0 to fix 'valid users' group
resolution and also performance. They're merged into master and 3.3
and will be in RHEL 7.

Apart from the patching it was easy to do - just needed ipa-server and
ipa-server-adtrust installed and setup and it did all the config for me
(the adtrust part sets up samba with ipasam.so for you).

Problem is running ipasam.so without the ipa-server locally - is how to
get it so the host can see ipaNTHash in the schema to check password.
If ipa-server is local the host has access, otherwise it doesn't.

So be good to find out what aci or service principal stuff makes that
available in an elegant and secure way.
We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it
all and may be creating a simple configuration tool.

Timing is not yet defined.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to