I did follow http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA but first I was always getting NT_STATUS_UNSUCCESSFUL First I thought it was related to a bad parameter in my samba configuration, because http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA says it is about ipa v4 and I found this ticket https://fedorahosted.org/freeipa/ticket/3999 I thought the documentation was incomplete.
I debugged kerberos log file and I realized I was using just username instead of [email protected] in windows 8 machine. It showed REALM as a groupname and I thought samba would do the translation but even on windows share logon you have to use [email protected] otherwise it doesn´t work. Also what about all those ldap objects I created earlier ? Are they worth or need for a kerberized CIFS server ? Because they are not mentioned in http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA It is working flawlessly now. Thanks a lot for the tip, now my smb.conf is just like in the example of the howto and it is working through sssd-libwbclient accessing the keytab. I have detailed the steps and commands to create the ldap objects, there is a typo many places on the internet because it was reproduced from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html on the creation of dn: cn=SambaCoS,cn=groups,cn=accounts,dc=example,dc=com objectclass: top objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=SambaCoS,cn=ipaConfig,dc=etc,dc=example,dc=com cosAttribute: sambaGrouptType there is a typo on the cosAttribute: a double tT on sambaGrouptType and I wasn't being able to create the object because the template was not found. I was found this error on the log: Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition. I also think should be documented somewhere that ipa-adtrust-install creates/populates the ipaNTHash, I couldn't find it anywhere, someone told me this on freenode. And one more doubt. ipa config-mod --userobjectclasses=aaa,bbb,ccc or ipa config-mod --groupobjectclasses=aaa,bbb,ccc doesn't work on iPA 4. Is there a way of doing this on the command line on ipa 4 ? Thanks a lot, ipa 4 is excellent. 2015-02-11 6:32 GMT-02:00, Alexander Bokovoy <[email protected]>: > On Tue, 10 Feb 2015, Israel Miranda wrote: >>I have a freeipa installation of v4 on Fedora 21. >>I have a separate fileserver with freeipa packages installed from >>mkosek-freeipa-epel-7.repo on centos 7. >> >>I have: >>* created sambaSAMAccount,sambaGroupMapping UserObjects >>* created an entry for DNA plugin to populate them >>cn=SambaGroupSid,cn=Distributed Numeric Assignment >>Plugin,cn=plugins,cn=config >>* added a CoS template for sambaGroupType >>* added a CoS definition for sambaGroupType >>* used ipa-adtrust-install to create and populate ipaNTHash >>* checked with the creation of these attributes with an ldap browser all >> ok >>* put the fileserver machine on the domain >>* added necessary permission, previleges and roles >>* installed kerberos keytab on the fileserver >>* was able to retrieve ipaNTHash attribute with the keytab from samba >> server >> >>and now the only thing missing is to integrate the fileserver with the >>ipaserver. >>I don´t mind in using ipasam, but to install in on my centos7 >>fileserver, which only has samba installed and nothing else, it also >>pulls the whole freeipa-server package, and this is overkill just to >>get ipasam.so. So I'd like some help in compiling it separately. >>I am using standard samba server distributed with centos 7. >> >>So I tried to use passdb backend = ldapsam:ldap//ipaserver >>but samba tries to bind using admin user, and doesn't use keytab, even >>though I put >> dedicated keytab file = FILE:/etc/samba/samba.keytab >> kerberos method = dedicated keytab >>in smb.conf. > ldapsam currently does not yet support keytab use. With CentOS7/mkosek > COPR repo you don't need to use any special passdb module anymore, just > follow > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > >> >>So please help me in getting these two things done: >> >>1. use samba with freeipa through ldap( I know it is worse than >>ipasam, but would be nice to know how to integrate freeipa with samba >>with ldap on systems where ipasam might not be available ) > Don't do that, use sssd-libwbclient integration. It requires pretty > fresh sssd version (1.12.2+) but systems you mentioned (F21 and CentOS7 > with mkosek COPR repo) have it. > >>2. compile an ipasam.so module so we can work on creating an rpm >>package in the future, since it is necessary to install ipasam.so >>separately. > No need to that when using sssd-libwbclient integration. > > -- > / Alexander Bokovoy > -- Free software philosophy : Information is for free. People are not. Contributors are priceless. Filosofia de software livre: Informação é de graça. Pessoas não são. Contribuidores não tem preço. Israel Vinícius Miranda -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
