Interestingly enough, I have almost the same setup here. I did an ipa-server install, then did ipa-adtrust-install. Afterward, I went through and grabbed the configs with 'net conf list' and modified it to use my shares. This one is just my testing, but the production one works perfectly!
How did you import your users? I did mine my setting up an openldap and importing an ldif with the proper DN values. Then ran ipa migrate-ds. In some cases, certain data didn't migrate, so I added that with ldapmodify as necessary. Here's what my samba config looks like with 'net conf list'. It seems it's pretty much the same as yours. Except for mine working, of course. [global] workgroup = EXAMPLE realm = EXAMPLE.COM passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 100000 disable spoolss = Yes domain logons = Yes domain master = Yes ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap suffix = dc=example,dc=com ldap ssl = no ldap user suffix = cn=users,cn=accounts registry shares = Yes create krb5 conf = No rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb [homes] browseable = no comment = Home Directories read only = no [share1] browseable = yes read only = no path = /srv/samba/share1 comment = Temporary Public Share valid users = @testgroup Cheers, herlo On Tue, Oct 28, 2014 at 12:36 PM, Jason Smith <jasonsm...@attask.com> wrote: > A little history. We migrated from an OpenLDAP system to FreeIPA. The > IPA version is listed above. I have samba installed and integrated > directly on the FreeIPA box. > The problem we're having are users who were migrated can no longer can see > the samba shares. We are connecting to these shares through Mac OSX. When > accessing the share with smbclient -L mydom...@domain.com I get the > response *session setup failed: NT_STATUS_CONNECTION_DISCONNECTED. *This > is the response I get when connected to the FreeIPA/Samba box. > > Users were able to access these shares, then overnight, they weren't. No > changes were made to the samba config or the FreeIPA. *Any new user > created through FreeIPA can see and browse any share they have access to.* > > If there's any other information needed, please let me know. Thank you!!! > > Below are a couple configs I have set: > > *Samba global settings* > [global] > workgroup = ATTASK > netbios name = IPA01 > realm = ATTASK.CORP > passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket > kerberos method = dedicated keytab > dedicated keytab file = FILE:/etc/samba/samba.keytab > log file = /var/log/samba/log.%m > max log size = 100000 > disable spoolss = Yes > domain logons = Yes > domain master = Yes > ldap group suffix = cn=groups,cn=accounts > ldap machine suffix = cn=computers,cn=accounts > ldap suffix = dc=attask,dc=corp > ldap ssl = no > ldap user suffix = cn=users,cn=accounts > registry shares = Yes > create krb5 conf = No > rpc_daemon:lsasd = fork > rpc_daemon:epmd = fork > rpc_server:tcpip = yes > rpc_server:netlogon = external > rpc_server:samr = external > rpc_server:lsasd = external > rpc_server:lsass = external > rpc_server:lsarpc = external > rpc_server:epmapper = external > ldapsam:trusted = yes > idmap config * : backend = tdb > > *User Not Working:* > dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp > uid: test > sn: test > cn: test > mail: t...@test.com > nsaccountlock: False > has_password: True > has_keytab: True > dialupAccess: yes > displayName: test test > emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw== > gidNumber: 107001365 > givenName: test > homeDirectory: /home/test > ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355 > ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7 > krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA= > krbLastFailedAuth: 20141028151647Z > krbLastPwdChange: 20141028152120Z > krbLastSuccessfulAuth: 20141028152012Z > krbLoginFailedCount: 0 > krbPasswordExpiration: 20150122152120Z > krbPrincipalName: t...@attask.corp > krbTicketFlags: 128 > loginShell: /sbin/nologin > memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp > memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp > memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: organizationalperson > objectClass: top > objectClass: customPersonAttributes > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: sambaSamAccount > objectClass: person > objectClass: inetuser > objectClass: krbprincipalaux > objectClass: radiusProfile > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: ipantuserattrs > radiusTunnelMediumType: IEEE-802 > radiusTunnelPrivateGroupId: 1424 > radiusTunnelType: VLAN > sambaPwdLastSet: 0 > sambaSID: S-1-5-21-1103557689-1565082434-1264062975-5622 > uidNumber: 107001355 > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project