On Wed, 11 Feb 2015, Israel Miranda wrote:
I did follow 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
but first I was always getting NT_STATUS_UNSUCCESSFUL
First I thought it was related to a bad parameter in my samba
configuration, because
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
says it is about ipa v4 and I found this ticket
https://fedorahosted.org/freeipa/ticket/3999 I thought the
documentation was incomplete.
Documentation regarding Samba integration is incomplete. We are working
on improving it but nothing is ready for review yet.

I debugged kerberos log file and I realized I was using just username
instead of usern...@realm.com in windows 8 machine. It showed REALM as
a groupname and I thought samba would do the translation but even on
windows share logon you have to use usern...@realm.com otherwise it
doesn´t work.
Yes. When you are using cross-forest trust to AD this will happen
automatically. If you are not using cross-forest trust to AD, this use
case is not yet officially supported so I glad that it works for you.

Also what about all those ldap objects I created earlier ?
Are they worth or need for a kerberized CIFS server ?
Because they are not mentioned in
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
You don't need to create any additional LDAP objects.

What you need is basically following:

1. Run ipa-adtrust-install on all masters that will be serving AD users.
Right now this means effectively all masters but we are working on
separating the heavy parts (runnning smbd/winbindd on each master) soon.

2. Use 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
to configure your Fedora 21+ or RHEL7.1beta or later servers to host
Samba.


It is working flawlessly now. Thanks a lot for the tip, now my
smb.conf is just like in the example of the howto and it is working
through sssd-libwbclient accessing the keytab.

I have detailed the steps and commands to create the ldap objects,
there is a typo many places on the internet because it was reproduced
from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
Notice that it is against Fedora 17 which is way old now and obsolete.

I also think should be documented somewhere that ipa-adtrust-install
creates/populates the ipaNTHash, I couldn't find it anywhere, someone
told me this on freenode.
Given that you don't need to know about ipaNTHash to use
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA,
all you need is documented there. I've added a note that IPA masters
have to be configured with ipa-adtrust-install.


And one more doubt.
ipa config-mod --userobjectclasses=aaa,bbb,ccc
or ipa config-mod --groupobjectclasses=aaa,bbb,ccc
doesn't work on iPA 4.
Is there a way of doing this on the command line on ipa 4 ?
Use shell expansion.

ipa object-command --attribute={value1,value2,value3,...}


--
/ Alexander Bokovoy

Attachment: pgpHYjaIFhrlr.pgp
Description: PGP signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to