On 05/06/2015 05:11 PM, box 31978 wrote:
Hello everyone,
These days I'm testing integration between FreeIPA4 and Samba4 at file
sharing level. Everything seems to work fine except share access from
a standalone Windows client.
This is the setup (everything is up-to-date):
- ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin
- file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home
dirs, not a DC)
- win-client: Windows 7 Home Premium
Config is done following the FreeIPA's Samba integration guide, and
testing with samba-client from ipa-server (or any other ipa-joined
machine) to file-server using kerberos after calling kinit is
successful (file manipulation included).
Attempts to connect to the same share from win-client ends up with a
log in error. Analyzing logs: Samba can't find the user because it
can't find any DC, and that's because Samba can't resolve workgroup
name (note that's not a question of SSO: win-client asks to type
username and password). It seems that maybe Samba is not handling new
kerberos ticket requests.
By now, my questions are:
- Can this setup work or it is absolutely necessary that any Windows
client expecting to access Samba shares have to be already joined to a
trusted domain?
Samba can have different ID sources. May be there is a way to somehow
specify users that are not members of the domain locally on the Samba
server. At least this is what I would research if I faced that issue.
- If this setup can't be done, I'll go for an LDAP config in
file-server against ipa-server, but then, can I maintain the
file-server joined with ipa-client? Will it work?
Yes. With SSSD 1.12 on the file server it should work.
https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
Feel free to ask whatever you want, any suggestions will be welcome.
Thanks!
Regards,
A.
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
