On 10/20/2014 09:15 AM, Loris Santamaria wrote:
I wanted to install a samba server (or more precisely a winbind server
for pptp authentication) in a IPA domain which trusts an AD domain.
I know that this configuration is not supported but since it works with
plain samba or samba+ldap I wanted to get it a shot to see how far one
First step, added a group for Domain Computers in ipa, with SID
description: domain computers
Second step, added posix attributes to the ipa host object where samba
would be installed, added SID information, and made it a member of the
domain computers group:
Third step, I added a cifs service for the host in ipa, and exported the
keytab on the samba server.
Fourth step, added a simple samba configuration file on the future samba
workgroup = YYYY
realm = XXXX
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
max log size = 100000
security = domain
Trying to join the server to the domain (net rpc join -U domainadmin -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.
Seems to me that the samba ipasam backend on ipa doesn't like something
in the host or the "domain computers" group object in ldap, but I cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.
Do I get it right that you really looking for
https://fedorahosted.org/sssd/ticket/1588 that was just released upstream?
It would be cool if you can try using SSSD 1.12.1 under Samba FS in the
use case you have and provide feedback on how it works for you.
AFAIU you install Samba FS and then use ipa-client to configure SSSD
under it and it should work.
If not we probably should document it (but I do not see any special
design page which leads me to the above expectation).
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project