On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote:
> I need some help with getting Samba and FreeIPA working together.
> I’ve been following the guide at
> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but
> that seems quite out of date for IPAv3 and I need some help:
yes, it is a bit outdated but still useful. Please note that we are
currently working on making the integration of samba more easy. Recently
I send a patch to the samba-technical mailing list with a library which
would allow samba to use SSSD instead of winbind to look up users and
SID-to-name mapping. Alexander is planning to go through the ipasam
modules to see how to make integration with Samba file-servers more easy.
But coming back to your questions.
> 1. The guide deals with setting a Samba server SID for one Samba
> server, but as we have multiple stand-alone Samba3 servers, which SID
> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I
> have more than 1 plugin (seems unlikely)?
'net getlocalsid' returns the domain SID and since all you Samba
file-servers are member of the IPA domain you can use a common SID here.
With IPAv3 SID generation for users and groups is even more easy because
you can get it for free by running ipa-adtrust-install (please use the
option --add-sids) if you already have users and groups in your IPA
server. This prepares the IPA server to be able to create trust
relationships to Active Directory and one requirement here is that all
users and groups have SID.
'ipa-adtrust-install' will also create a domain SID. 'ipa
trustconfig-show' will show the domain SID together with the DNS domain
name and the NetBIOS domain name. On your Samba server you should set
'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA
server after running ipa-adtrust-install for a config example).
Additionally on your Samba servers you have to set the domain SID in
/var/lib/samba/private/secrets.tdb with tdbtool. You will need 3
keys with the same SID
SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf
SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in
SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in
The SID has to be given in a special binary format. The easiest way to
get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the
IPA server after running ipa-adtrust-install. The domain SID will always
start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence
as data for the insert command of tdbtool.
Now everything should be done with respect to SID handling.
> 2. There’s no “/usr/share/ipa/ui/group.js” file to patch in
> IPAv3. What do I need to patch instead?
> I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which
> shows the need is there but I could do with getting it working ASAP.
group.js is compliend with the other UI files in
install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources
for details). For your convenience I copied some section here:
"The compiled Web UI layer is located in
`/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from
source git repository in `install/ui/src/freeipa/` directory to the
`/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js`
file). By doing that, next reload of Web UI will use source files
errors will contain proper source code name and line number."
> I may be missing something obvious but some help would be greatly appreciated!
I hope my comments will help you. Feel free to ask for more help if
needed. It would be nice to hear from any success as well.
> Brief: Need to expand from the current single-office-ish NIS/YP scheme
> to a multi-location/multi-national auth scheme which FreeIPA seems
> ideally suited for.
> Requirement: To continue to provide console/SSH and GUI/X logins to
> Linux hosts, access to home and project directories via NFS from the
> Linux machines using autofs/automount and access to Samba file-shares
> from Windows machines but not using AD creds as this is a totally
> separate environment. Several locations will each have a FreeIPA
> replica server, NFS/Samba fileserver and “application” server.
> Currently use 2 passwords for each user – one for NIS, one for Samba –
> and need to consolidate to one password for everything.
> Progress: Linux-based NFS stuff working fine – automount of home and
> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs
> as a prototyping environment but will probably use RHEL/CentOS 7 when
> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and
> 3.3.5 on Fedora 20.
> Freeipa-users mailing list
Freeipa-users mailing list