On 10/20/2014 09:15 AM, Loris Santamaria wrote:
Hi all,

I wanted to install a samba server (or more precisely a winbind server
for pptp authentication) in a IPA domain which trusts an AD domain.

I know that this configuration is not supported but since it works with
plain samba or samba+ldap I wanted to get it a shot to see how far one
could get.

First step, added a group for Domain Computers in ipa, with SID
S-1-XXXX-515:

dn: cn=domaincomputers,cn=groups,cn=accounts,YYYYYYYYYYY
ipaNTSecurityIdentifier: S-1-5-21-XXXXXXXXXX-515
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: domaincomputers
description: domain computers
ipaUniqueID: 5916daa0-57cd-11e4-a15b-000d3a7004fb
gidNumber: 1870500500

Second step, added posix attributes to the ipa host object where samba
would be installed, added SID information, and made it a member of the
domain computers group:

dn: fqdn=gcentralproxy.YYYY,cn=computers,cn=accounts,XXXX
displayName: gcentralproxy
sn: proxy
givenName: gcentral
gecos: gcentralproxy
uidNumber: 1870400015
gidNumber: 1870500500
homeDirectory: /dev/null
loginShell: /sbin/nologin
uid: gcentralproxy$
ipaNTSecurityIdentifier: S-1-5-21-1967106394-3235870896-3821617943-14301
cn: gcentralproxy.cosmeticosgenesis.com
objectClass: ipaobject
objectClass: nshost
objectClass: ipahost
objectClass: pkiuser
objectClass: ipaservice
objectClass: krbprincipalaux
objectClass: krbprincipal
objectClass: ieee802device
objectClass: ipasshhost
objectClass: top
objectClass: ipaSshGroupOfPubKeys
objectClass: ipantuserattrs
objectClass: posixAccount
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
fqdn: gcentralproxy.YYYYY
krbPrincipalName: host/gcentralproxy.cosmeticosgenesis.com@YYYY
serverHostName: gcentralproxy

Third step, I added a cifs service for the host in ipa, and exported the
keytab on the samba server.

Fourth step, added a simple samba configuration file on the future samba
server:

[global]
        workgroup = YYYY
        realm = XXXX
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        kerberos method = dedicated keytab
        log file = /var/log/samba/log.%m
        max log size = 100000
        security = domain

Trying to join the server to the domain (net rpc join -U domainadmin -S
ipaserver) fails, and it causes a samba crash on the ipa server.
Investigating the cause of the crash I found that pdbedit crashes as
well (backtrace attached). I couldn't get a meaningful backtrace from
the samba crash however I attached it as well.

Seems to me that the samba ipasam backend on ipa doesn't like something
in the host or the "domain computers" group object in ldap, but I cannot
see what could be the problem. Perhaps someone more familiar with the
ipasam code can spot it quickly.

Best regards




Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you.

AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation).

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to