Hi Yes, it's possible to operate freeIPA and Samba as you suggest, we have been doing so for some years now (with several freeIPA and Samba versions).
Our end users use a mix of Windows and OSX laptops / workstations. These are not members of any kind of domain. They access our file servers via Samba shares authenticated by freeIPA. The samba server is a freeIPA client. The samba config on the freeIPA side looks like it was done along the lines in the link http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The ldap config in our samba smb.conf looks like this: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off Cheers Chris From: box 31978 <box31...@gmail.com> To: freeipa-users@redhat.com Date: 06.05.2015 23:18 Subject: [Freeipa-users] freeipa-samba integration and windows clients Sent by: freeipa-users-boun...@redhat.com Hello everyone, These days I'm testing integration between FreeIPA4 and Samba4 at file sharing level. Everything seems to work fine except share access from a standalone Windows client. This is the setup (everything is up-to-date): - ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin - file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home dirs, not a DC) - win-client: Windows 7 Home Premium Config is done following the FreeIPA's Samba integration guide, and testing with samba-client from ipa-server (or any other ipa-joined machine) to file-server using kerberos after calling kinit is successful (file manipulation included). Attempts to connect to the same share from win-client ends up with a log in error. Analyzing logs: Samba can't find the user because it can't find any DC, and that's because Samba can't resolve workgroup name (note that's not a question of SSO: win-client asks to type username and password). It seems that maybe Samba is not handling new kerberos ticket requests. By now, my questions are: - Can this setup work or it is absolutely necessary that any Windows client expecting to access Samba shares have to be already joined to a trusted domain? - If this setup can't be done, I'll go for an LDAP config in file-server against ipa-server, but then, can I maintain the file-server joined with ipa-client? Will it work? Feel free to ask whatever you want, any suggestions will be welcome. Thanks! Regards, A.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project