Hi Sumit and Petr,

Thanks both of you for your replies, I've now got to go and try to
implement all your suggestions but I have some more questions, sorry!
The guide at techslaves was fine, I just got stuck with the changes in
the JavaScript packages and the Samba server questions.

1. Petr, I put your samba.js plugin into
/usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack
of JS knowledge, anything more than simple Bash scripts tends to leave
me confused! Do I need to do anything else apart from restart the IPA
service? I read your info at
http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the
plugins have to be registered, but I couldn't work out if it's a
manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on
restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py
for the CLI as well.

2. Sumit, thanks for the info on Samba, I'll have to leave that now
and try it next week. BTW, the version of Samba I'm testing against is
3.6.9-168 on CentOS 6.5.

Thanks again for your information and patience,


On 22 May 2014 14:19, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 22.5.2014 14:19, Sumit Bose wrote:
>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote:
>>> Hello,
>>> I need some help with getting Samba and FreeIPA working together.
>>> I’ve been following the guide at
>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but
>>> that seems quite out of date for IPAv3 and I need some help:
>> yes, it is a bit outdated but still useful. Please note that we are
>> currently working on making the integration of samba more easy. Recently
>> I send a patch to the samba-technical mailing list with a library which
>> would allow samba to use SSSD instead of winbind to look up users and
>> SID-to-name mapping. Alexander is planning to go through the ipasam
>> modules to see how to make integration with Samba file-servers more easy.
>> But coming back to your questions.
>>> 1.       The guide deals with setting a Samba server SID for one Samba
>>> server, but as we have multiple stand-alone Samba3 servers, which SID
>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I
>>> have more than 1 plugin (seems unlikely)?
>> 'net getlocalsid' returns the domain SID and since all you Samba
>> file-servers are member of the IPA domain you can use a common SID here.
>> With IPAv3 SID generation for users and groups is even more easy because
>> you can get it for free by running ipa-adtrust-install (please use the
>> option --add-sids) if you already have users and groups in your IPA
>> server. This prepares the IPA server to be able to create trust
>> relationships to Active Directory and one requirement here is that all
>> users and groups have SID.
>> 'ipa-adtrust-install' will also create a domain SID. 'ipa
>> trustconfig-show' will show the domain SID together with the DNS domain
>> name and the NetBIOS domain name. On your Samba server you should set
>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA
>> server after running ipa-adtrust-install for a config example).
>> Additionally on your Samba servers you have to set the domain SID in
>> /var/lib/samba/private/secrets.tdb  with tdbtool. You will need 3
>> keys with the same SID
>> SECRETS/SID/DOMNETBIOS  <- NetBIOS domain name, workgroup in smb.conf
>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in
>>                                 smb.conf
>> SECRETS/SID/CLINETBIOS  <- NetBIOS name of the client, 'netbios name' in
>>                             smb.conf
>> The SID has to be given in a special binary format. The easiest way to
>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the
>> IPA server after running ipa-adtrust-install. The domain SID will always
>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence
>> as data for the insert command of tdbtool.
>> Now everything should be done with respect to SID handling.
>>> 2.       There’s no “/usr/share/ipa/ui/group.js” file to patch in
>>> IPAv3. What do I need to patch instead?
>>> I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which
>>> shows the need is there but I could do with getting it working ASAP.
>> group.js is compliend with the other UI files in
>> /usr/share/ipa/ui/js/freeipa/app.js (see
>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources
>> for details). For your convenience I copied some section here:
>> "The compiled Web UI layer is located in
>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from
>> source git repository in `install/ui/src/freeipa/` directory to the
>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js`
>> file). By doing that, next reload of Web UI will use source files
>> (clearing browser cache may be required). After that all JavaScript
>> errors will contain proper source code name and line number."
> Better approach is to create a custom UI plugin which would add those
> fields. Since it's only 3 fields, I create an example which works on FreeIPA
> 4.0 and theoretically it should work on 3.2 as well:
> http://pvoborni.fedorapeople.org/plugins/samba/samba.js
> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory.
> I did not test it with backend (no labels + doesn't do anything).
> More about plugin development:
> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins
> Creating CLI plugin is IMO also better approach.
>>> I may be missing something obvious but some help would be greatly
>>> appreciated!
>> I hope my comments will help you. Feel free to ask for more help if
>> needed. It would be nice to hear from any success as well.
>> bye,
>> Sumit
>>> Thanks,
>>> Dylan.
>>> Background:
>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme
>>> to a multi-location/multi-national auth scheme which FreeIPA seems
>>> ideally suited for.
>>> Requirement: To continue to provide console/SSH and GUI/X logins to
>>> Linux hosts, access to home and project directories via NFS from the
>>> Linux machines using autofs/automount and access to Samba file-shares
>>> from Windows machines but not using AD creds as this is a totally
>>> separate environment. Several locations will each have a FreeIPA
>>> replica server, NFS/Samba fileserver and “application” server.
>>> Currently use 2 passwords for each user – one for NIS, one for Samba –
>>> and need to consolidate to one password for everything.
>>> Progress: Linux-based NFS stuff working fine – automount of home and
>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs
>>> as a prototyping environment but will probably use RHEL/CentOS 7 when
>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and
>>> 3.3.5 on Fedora 20.
> --
> Petr Vobornik

Freeipa-users mailing list

Reply via email to