On 05/06/2015 05:11 PM, box 31978 wrote:
Hello everyone,

These days I'm testing integration between FreeIPA4 and Samba4 at file sharing level. Everything seems to work fine except share access from a standalone Windows client.

This is the setup (everything is up-to-date):
- ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin
- file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home dirs, not a DC)
- win-client: Windows 7 Home Premium

Config is done following the FreeIPA's Samba integration guide, and testing with samba-client from ipa-server (or any other ipa-joined machine) to file-server using kerberos after calling kinit is successful (file manipulation included).

Attempts to connect to the same share from win-client ends up with a log in error. Analyzing logs: Samba can't find the user because it can't find any DC, and that's because Samba can't resolve workgroup name (note that's not a question of SSO: win-client asks to type username and password). It seems that maybe Samba is not handling new kerberos ticket requests.

By now, my questions are:
- Can this setup work or it is absolutely necessary that any Windows client expecting to access Samba shares have to be already joined to a trusted domain?

Samba can have different ID sources. May be there is a way to somehow specify users that are not members of the domain locally on the Samba server. At least this is what I would research if I faced that issue.

- If this setup can't be done, I'll go for an LDAP config in file-server against ipa-server, but then, can I maintain the file-server joined with ipa-client? Will it work?

Yes. With SSSD 1.12 on the file server it should work.
https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient


Feel free to ask whatever you want, any suggestions will be welcome. Thanks!

Regards,

A.




--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to