On Thu, 07 May 2015, box 31978 wrote:
Hello Alexander,

Thank you very much for your answers!

If Windows client is not a part of the domain, there is no SSO and no
Kerberos. Windows client will attempt using NTLMSSP authentication.
Right now -- yes. You are saying you've following "FreeIPA's Samba
integration guide" which I assume is
which only works for Kerberos authentication because NTLMSSP is not
supported by the SSSD.

Yes, your assumption is absolutely exact ;-)

That's clear now, my thoughts went on this direction too: anyone is
handling a new kerberos ticket request because of authentication type.

Not really. The story is more complex than it seems and right now there
is no ready-made solution for out-of-domain Windows clients.

Ok, I understand.

Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this
works fine on Samba3 and 389-DS), but I'm not sure about the configuration.
Can file-server's SSSD have Kerberos auth (result of ipa-client-install)
and LDAP auth (added settings in sssd.conf) at the same time for the same
domain? Will it work together or will I've to choose on of the two?
SSSD can but you need Samba to be aware of these things because Samba
needs way more than just passwords. FreeIPA uses different LDAP schema
for the additional attributes compared to what standard Samba PASSDB
module for LDAP expects so if you enable that one in smb.conf, you'll
get nothing.

As Christoph pointed in the another email, you may try to enable older
Samba-compatible scheme but that wouldn't play well with IPA's support
for SIDs (including on SSSD side) as we are using different attributes
and you'll be forced to maintain certain aspects manually.

There is hope to get NTLMSSP support implemented but not soon, we have
bits in place but there is still work to be done.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to