Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file
I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way. I was a bit surprised to see that accessing samba using "smbclient -k \\..." worked right away from a linux box. Then stopped working if I did kdestroy. *But,* I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password. Any ideas on how to get this going from Windows as well? -- john 2014-10-29 20:54 GMT+01:00 Loris Santamaria <[email protected]>: > El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió: > > On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: > > > El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: > > > > On 10/20/2014 09:15 AM, Loris Santamaria wrote: > > > > > > [...] > > > > > > > > > > > > > Trying to join the server to the domain (net rpc join -U > domainadmin -S > > > > > ipaserver) fails, and it causes a samba crash on the ipa server. > > > > > Investigating the cause of the crash I found that pdbedit crashes > as > > > > > well (backtrace attached). I couldn't get a meaningful backtrace > from > > > > > the samba crash however I attached it as well. > > > > > > > > > > Seems to me that the samba ipasam backend on ipa doesn't like > something > > > > > in the host or the "domain computers" group object in ldap, but I > cannot > > > > > see what could be the problem. Perhaps someone more familiar with > the > > > > > ipasam code can spot it quickly. > > > > > > > Do I get it right that you really looking for > > > > https://fedorahosted.org/sssd/ticket/1588 that was just released > > > > upstream? > > > > It would be cool if you can try using SSSD 1.12.1 under Samba FS in > > > > the use case you have and provide feedback on how it works for you. > > > > > > > > AFAIU you install Samba FS and then use ipa-client to configure SSSD > > > > under it and it should work. > > > > If not we probably should document it (but I do not see any special > > > > design page which leads me to the above expectation). > > > > > > Ok, I'll happily try sssd 1.12.1. > > > > > > Just a question, in smb.conf one should use "security = domain" or > > > "security = ads"? > > > > 'ads' because we want to use Kerberos. But there some other > > configuration options which needs attention, e.g. you have to create a > > keytab for the cifs service and make it available to samba. I'll try to > > set up an small howto page listing the needed steps and come back to you > > early next week. > > It Works :D, and here is what I did: > > Test environment: One realm domain with two Centos 7 / ipa 3.3 masters, > one trusted AD forest (windows 2008R2 controllers), one Centos 7 file > server. > > Step 1) On the file server enable mkosek's COPR ipa repo: > https://copr.fedoraproject.org/coprs/mkosek/freeipa/ > > 2) Install required packages packages: > yum -y install ipa-client sssd-libwbclient samba samba client > > 3) join file server to the ipa realm: > ipa-client-install --mkhomedir > > Please note that this step fails, shortly after creating the keytab and > configuring sssd, probably caused by the version mismatch between ipa > server (3.3) and client (4.1). I will report the failure shortly. > Because of the failure I had to complete part of the join procedure > manually: > authconfig --enablesssdauth --enablemkhomedir --update (on the client) > ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server) > > 4) On the ipa server create the cifs principal for samba: > ipa service-add cifs/sambatest.my.realm > > 5) Install keytab on the samba host: > ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm > -k /etc/samba/samba.keytab > > 6) Edit /etc/samba/smb.conf on the samba file server: > [global] > workgroup = MY > realm = MY.REALM > dedicated keytab file = FILE:/etc/samba/samba.keytab > kerberos method = dedicated keytab > log file = /var/log/samba/log.%m > security = ads > > [homes] > browsable = no > writable = yes > > [shared] > path = /home/shared > writable = yes > browsable=yes > write list = @admins > > 7) To enable samba /home sharing one should turn on a selinux boolean: > setsebool -P samba_enable_home_dirs on > > 8) restart samba > > Testing: > > On another linux member of the IPA domain it is possible to connect to > the samba shares using smbclient -k : > kinit [email protected] > smbclient -k -L sambatest.my.realm > smbclient -k //sambatest.my.realm/shared > > On a windows machine, member of the AD domain it is possible to connect > to the samba shares typing in the windows explorer location bar: > \\sambatest.my.realm > Also, if the ad user is an (indirect) member of the IPA admins group, > thanks to the trust relationship, with the above smb.conf he may have > write access to the \shared folder. > > Thanks to the ipa and sssd teams for this great enablement! > -- > Loris Santamaria linux user #70506 xmpp:[email protected] > Links Global Services, C.A. http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:[email protected] > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd have said > a faster horse" - Henry Ford > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
