On 05/06/2015 05:11 PM, box 31978 wrote:
These days I'm testing integration between FreeIPA4 and Samba4 at file
sharing level. Everything seems to work fine except share access from
a standalone Windows client.
This is the setup (everything is up-to-date):
- ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin
- file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home
dirs, not a DC)
- win-client: Windows 7 Home Premium
Config is done following the FreeIPA's Samba integration guide, and
testing with samba-client from ipa-server (or any other ipa-joined
machine) to file-server using kerberos after calling kinit is
successful (file manipulation included).
Attempts to connect to the same share from win-client ends up with a
log in error. Analyzing logs: Samba can't find the user because it
can't find any DC, and that's because Samba can't resolve workgroup
name (note that's not a question of SSO: win-client asks to type
username and password). It seems that maybe Samba is not handling new
kerberos ticket requests.
By now, my questions are:
- Can this setup work or it is absolutely necessary that any Windows
client expecting to access Samba shares have to be already joined to a
Samba can have different ID sources. May be there is a way to somehow
specify users that are not members of the domain locally on the Samba
server. At least this is what I would research if I faced that issue.
- If this setup can't be done, I'll go for an LDAP config in
file-server against ipa-server, but then, can I maintain the
file-server joined with ipa-client? Will it work?
Yes. With SSSD 1.12 on the file server it should work.
Feel free to ask whatever you want, any suggestions will be welcome.
Director of Engineering for IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project