Hi Sumit,

Thanks for your reply.

I shall await the fruits of Alexander's labour over the summer with
interest. It seems that it's all so close to working and would be
great for an organisation in our situation with a mixed Samba/NFS
Linux/Windows environment. Do you think the work on compatibility will
be for Samba 3, 4 or both?

I need to look at the slapi-nis functionality anyway as the current
feeling is that we need to get the NFS side of things working with as
little user pain as possible and that Samba will have to go onto the
back-burner for now. I'll come back with anything new I find.

As RHEL7 has just been released I'm going to have to rebuild my test
environment anyway...

Thanks for your help so far,

Dylan.

On 4 June 2014 14:47, Sumit Bose <sb...@redhat.com> wrote:
> On Tue, Jun 03, 2014 at 03:37:05PM +0100, Dylan Evans wrote:
>> Hello again,
>>
>> Just realised by re-reading this thread that I still needed to create
>> the DNA plugin.
>>
>> I've now done that and I can add users, sorry for being stupid...
>
> I think the issue is on my side :-) I forgot that samba uses a hardcoded
> LDAP schema and requires specific objectclass and attribute names.
>
> By enabling the DNA plugin the needed values are added to the user
> object, but with the negative side effect that there are now two
> attributes containing a different SID, one create by the DNA plugin the
> other by a plugin activated by ipa-adtrust-install.
>
> I guess the proper solution would be to not enable the DNS plugin to
> create the SIDs in the user object but use the Schema Compatibility
> plugin from slapi-nis to create a compat tree where samba can find the
> needed data with the expected schema. But I'm afraid I am not aware of
> any howto about this.
>
> Even better would be to use ipasam instead of ldapsam in samba itself.
> But I cannot say how good or bad it will currently work because as
> mentioned below Alexander is planning to check it in summer.
>
> bye,
> Sumit
>
>>
>> Dylan.
>>
>>
>>
>> On 3 June 2014 14:44, Dylan Evans <devan...@gmail.com> wrote:
>> > Hi Petr & Sumit,
>> >
>> > I've been trying to get further with my setup.
>> >
>> > 1. Thanks Petr, the groups.js plugin seems to work fine, it shows the
>> > correct info on the GUI screen and seems to be ok.
>> >
>> > 2. Sumit, I'm afraid that I'm having a few more problems after running
>> > " ipa-adtrust-install --add-sids". I cannot now add any users on the
>> > server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I
>> > get the following error:
>> >
>> > GUI:
>> > IPA Error 4205
>> > missing attribute: "sambaSID" required by object class "sambaSamAccount"
>> >
>> > Command-line:
>> > ipa user-add test1234 .....
>> > ipa: ERROR: missing attribute "sambaSID" required by object class
>> > "sambaSamAccount"
>> >
>> > Also, when editing an existing user, there is no sambaSID field
>> > available to edit.
>> >
>> > If you have any ideas, please let me know.
>> >
>> > Thanks,
>> >
>> > Dylan.
>> >
>> >
>> > On 26 May 2014 11:40, Petr Vobornik <pvobo...@redhat.com> wrote:
>> >> On 23.5.2014 16:31, Dylan Evans wrote:
>> >>>
>> >>> Hi Sumit and Petr,
>> >>>
>> >>> Thanks both of you for your replies, I've now got to go and try to
>> >>> implement all your suggestions but I have some more questions, sorry!
>> >>> The guide at techslaves was fine, I just got stuck with the changes in
>> >>> the JavaScript packages and the Samba server questions.
>> >>>
>> >>> 1. Petr, I put your samba.js plugin into
>> >>> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack
>> >>> of JS knowledge, anything more than simple Bash scripts tends to leave
>> >>> me confused! Do I need to do anything else apart from restart the IPA
>> >>> service? I read your info at
>> >>> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the
>> >>> plugins have to be registered, but I couldn't work out if it's a
>> >>> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on
>> >>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py
>> >>> for the CLI as well.
>> >>
>> >>
>> >> Should be automatically handled by the plugin.py wsgi handler and related
>> >> logic in Web UI. Just make sure that the file and the directory have same
>> >> names (except the extension in file's case of course).
>> >>
>> >>
>> >>>
>> >>> 2. Sumit, thanks for the info on Samba, I'll have to leave that now
>> >>> and try it next week. BTW, the version of Samba I'm testing against is
>> >>> 3.6.9-168 on CentOS 6.5.
>> >>>
>> >>> Thanks again for your information and patience,
>> >>>
>> >>> Dylan.
>> >>>
>> >>> On 22 May 2014 14:19, Petr Vobornik <pvobo...@redhat.com> wrote:
>> >>>>
>> >>>> On 22.5.2014 14:19, Sumit Bose wrote:
>> >>>>>
>> >>>>>
>> >>>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote:
>> >>>>>>
>> >>>>>>
>> >>>>>> Hello,
>> >>>>>>
>> >>>>>> I need some help with getting Samba and FreeIPA working together.
>> >>>>>>
>> >>>>>> I’ve been following the guide at
>> >>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but
>> >>>>>> that seems quite out of date for IPAv3 and I need some help:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> yes, it is a bit outdated but still useful. Please note that we are
>> >>>>> currently working on making the integration of samba more easy. 
>> >>>>> Recently
>> >>>>> I send a patch to the samba-technical mailing list with a library which
>> >>>>> would allow samba to use SSSD instead of winbind to look up users and
>> >>>>> SID-to-name mapping. Alexander is planning to go through the ipasam
>> >>>>> modules to see how to make integration with Samba file-servers more
>> >>>>> easy.
>> >>>>>
>> >>>>> But coming back to your questions.
>> >>>>>
>> >>>>>>
>> >>>>>> 1.       The guide deals with setting a Samba server SID for one Samba
>> >>>>>> server, but as we have multiple stand-alone Samba3 servers, which SID
>> >>>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I
>> >>>>>> have more than 1 plugin (seems unlikely)?
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> 'net getlocalsid' returns the domain SID and since all you Samba
>> >>>>> file-servers are member of the IPA domain you can use a common SID 
>> >>>>> here.
>> >>>>>
>> >>>>> With IPAv3 SID generation for users and groups is even more easy 
>> >>>>> because
>> >>>>> you can get it for free by running ipa-adtrust-install (please use the
>> >>>>> option --add-sids) if you already have users and groups in your IPA
>> >>>>> server. This prepares the IPA server to be able to create trust
>> >>>>> relationships to Active Directory and one requirement here is that all
>> >>>>> users and groups have SID.
>> >>>>>
>> >>>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa
>> >>>>> trustconfig-show' will show the domain SID together with the DNS domain
>> >>>>> name and the NetBIOS domain name. On your Samba server you should set
>> >>>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA
>> >>>>> server after running ipa-adtrust-install for a config example).
>> >>>>>
>> >>>>> Additionally on your Samba servers you have to set the domain SID in
>> >>>>> /var/lib/samba/private/secrets.tdb  with tdbtool. You will need 3
>> >>>>> keys with the same SID
>> >>>>>
>> >>>>> SECRETS/SID/DOMNETBIOS  <- NetBIOS domain name, workgroup in smb.conf
>> >>>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in
>> >>>>>                                  smb.conf
>> >>>>> SECRETS/SID/CLINETBIOS  <- NetBIOS name of the client, 'netbios name' 
>> >>>>> in
>> >>>>>                              smb.conf
>> >>>>>
>> >>>>> The SID has to be given in a special binary format. The easiest way to
>> >>>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the
>> >>>>> IPA server after running ipa-adtrust-install. The domain SID will 
>> >>>>> always
>> >>>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence
>> >>>>> as data for the insert command of tdbtool.
>> >>>>>
>> >>>>> Now everything should be done with respect to SID handling.
>> >>>>>
>> >>>>>>
>> >>>>>> 2.       There’s no “/usr/share/ipa/ui/group.js” file to patch in
>> >>>>>> IPAv3. What do I need to patch instead?
>> >>>>>>
>> >>>>>> I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which
>> >>>>>> shows the need is there but I could do with getting it working ASAP.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> group.js is compliend with the other UI files in
>> >>>>> /usr/share/ipa/ui/js/freeipa/app.js (see
>> >>>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources
>> >>>>> for details). For your convenience I copied some section here:
>> >>>>>
>> >>>>> "The compiled Web UI layer is located in
>> >>>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from
>> >>>>> source git repository in `install/ui/src/freeipa/` directory to the
>> >>>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js`
>> >>>>> file). By doing that, next reload of Web UI will use source files
>> >>>>> (clearing browser cache may be required). After that all JavaScript
>> >>>>> errors will contain proper source code name and line number."
>> >>>>
>> >>>>
>> >>>>
>> >>>> Better approach is to create a custom UI plugin which would add those
>> >>>> fields. Since it's only 3 fields, I create an example which works on
>> >>>> FreeIPA
>> >>>> 4.0 and theoretically it should work on 3.2 as well:
>> >>>>
>> >>>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js
>> >>>>
>> >>>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory.
>> >>>>
>> >>>> I did not test it with backend (no labels + doesn't do anything).
>> >>>>
>> >>>> More about plugin development:
>> >>>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>> >>>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins
>> >>>>
>> >>>> Creating CLI plugin is IMO also better approach.
>> >>>>
>> >>>>
>> >>>>>
>> >>>>>>
>> >>>>>> I may be missing something obvious but some help would be greatly
>> >>>>>> appreciated!
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> I hope my comments will help you. Feel free to ask for more help if
>> >>>>> needed. It would be nice to hear from any success as well.
>> >>>>>
>> >>>>> bye,
>> >>>>> Sumit
>> >>>>>
>> >>>>>>
>> >>>>>> Thanks,
>> >>>>>>
>> >>>>>> Dylan.
>> >>>>>>
>> >>>>>> Background:
>> >>>>>>
>> >>>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme
>> >>>>>> to a multi-location/multi-national auth scheme which FreeIPA seems
>> >>>>>> ideally suited for.
>> >>>>>>
>> >>>>>>
>> >>>>>> Requirement: To continue to provide console/SSH and GUI/X logins to
>> >>>>>> Linux hosts, access to home and project directories via NFS from the
>> >>>>>> Linux machines using autofs/automount and access to Samba file-shares
>> >>>>>> from Windows machines but not using AD creds as this is a totally
>> >>>>>> separate environment. Several locations will each have a FreeIPA
>> >>>>>> replica server, NFS/Samba fileserver and “application” server.
>> >>>>>> Currently use 2 passwords for each user – one for NIS, one for Samba –
>> >>>>>> and need to consolidate to one password for everything.
>> >>>>>>
>> >>>>>>
>> >>>>>> Progress: Linux-based NFS stuff working fine – automount of home and
>> >>>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs
>> >>>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when
>> >>>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and
>> >>>>>> 3.3.5 on Fedora 20.
>> >>>>>>
>> >>>> --
>> >>>> Petr Vobornik
>> >>
>> >>
>> >>
>> >> --
>> >> Petr Vobornik

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to