Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab.
I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: > HI Matt > > It looks like I skipped that step ... (And as we already had samba groups > in place, did not need to make new ones via the WebUI). > > However a quick google trawled up this old thread that has a possible > answer from Peter. (I have not tested it yet myself). > > https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html > > Chris > > > > From: "Matt ." <yamakasi....@gmail.com> > To: > Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Date: 03.08.2015 12:45 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-boun...@redhat.com > > > > In my previous reply, I ment "no group.js at all" . > > > 2015-08-03 12:17 GMT+02:00 Matt . <yamakasi....@gmail.com>: >> Hi Chris, >> >> Thanks for that verification! >> >> It seems that: >> >> /usr/share/ipa/ui/group.js >> >> Is not there on IPA.4.1, also there is no .js at all on the whole system. >> >> Any idea there ? >> >> Thanks again! >> >> Matt >> >> 2015-08-03 9:53 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: >>> Hi Matt >>> >>> Thankfully I saved the output from those ldapmodify commands (against >>> FreeIPA 4.1) and was able to find it again! >>> >>> In our case sambagrouptype also seems to have already been present, so > that >>> should not hurt. >>> >>> [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF >>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>> changetype: add >>>> add: ipaCustomFields >>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>> EOF >>> SASL/GSSAPI authentication started >>> SASL username: l...@my.silly.example.com >>> SASL SSF: 56 >>> SASL data security layer installed. >>> adding new entry "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>> ldap_add: Already exists (68) >>> >>> Chris >>> >>> >>> >>> >>> From: "Matt ." <yamakasi....@gmail.com> >>> To: >>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>> Date: 02.08.2015 13:33 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-boun...@redhat.com >>> >>> >>> >>> Chris, >>> >>> Are you doing this on 3.x or also 4.x ? >>> >>> As the following already exists: >>> >>> ldapmodify -Y GSSAPI <<EOF >>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>> changetype: add >>> add: ipaCustomFields >>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>> EOF >>> >>> >>> And I'm unsure about the pyton files are they are sligtly different on > 4.1 >>> >>> >>> Thanks! >>> >>> >>> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi....@gmail.com>: >>>> Hi, >>>> >>>> Yes I found that earlier, that looks good and even better when you >>>> confirm this as really usable. >>>> >>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>> happends when we "need" to move because integration has been improved. >>>> >>>> I try to keep IPA as native as I can. >>>> >>>> So this is the best way to go for now, even when this thread is such >>> "old" ? >>>> >>>> Thanks! >>>> >>>> Matt >>>> >>>> >>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb > <christopher.l...@ch.ibm.com>: >>>>> Hi Matt >>>>> >>>>> For a "how to" of Samba FreeIPA integration using schema extensions, > see >>>>> this previous thread >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>> >>>>> That should point to this techslaves article with the detailed >>> instructions >>>>> that we followed: >>>>> >>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>> >>>>> The main reason we went that way is that we have no AD domain, which >>> seems >>>>> to be required by other integration paths. >>>>> >>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now >>> 7.x). >>>>> So things may be different on Ubuntu. >>>>> >>>>> As always, when changing the LDAP schema, an LDAP browser like Apache >>>>> Directory Studio is very useful to visualise what is going on and to >>> verify >>>>> if your changes are present! (and is sometime easier to manually > change >>>>> attributes rather than by LDAPMODIFY script....) >>>>> >>>>> There is another ongoing thread in this mailing list about problems > with >>>>> the attribute SambaPwdLastSet. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: "Matt ." <yamakasi....@gmail.com> >>>>> To: >>>>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>>>> Date: 31.07.2015 16:58 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>>> Sent by: freeipa-users-boun...@redhat.com >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> This is nice to have confirmed. >>>>> >>>>> Is it possible for you to descrive what you do ? It might be handy to >>>>> add this to the IPA documentation also with some explanation why... >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>> <christopher.l...@ch.ibm.com>: >>>>>> Hi >>>>>> >>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect to > the >>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>> problem >>>>>> that we have is, that the users get no notice of password expiry > until >>>>>> "suddenly" their Samba user (really the FreeIPA user) password is not >>>>>> accepted when trying to connect to a share. Once the password is > reset >>>>> (via >>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> From: Youenn PIOLET <piole...@gmail.com> >>>>>> To: "Matt ." <yamakasi....@gmail.com> >>>>>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>>>>> Date: 31.07.2015 16:21 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> Sent by: freeipa-users-boun...@redhat.com >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>> >>>>>> The only method I see is to install samba extensions in FreeIPA's > LDAP >>>>>> directory, and bind samba with LDAP. There may be a lot of > difficulties >>>>>> with password management doing this, that's why I'd like to get a >>> better >>>>>> solution :) >>>>>> >>>>>> Anyone? >>>>>> >>>>>> >>>>>> -- >>>>>> Youenn Piolet >>>>>> piole...@gmail.com >>>>>> >>>>>> >>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi....@gmail.com>: >>>>>> Hi Guys, >>>>>> >>>>>> I'm really struggeling getting a NON AD Samba server authing > against >>> a >>>>>> FreeIPA server: >>>>>> >>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>> >>>>>> Now this seems to be the way: >>>>>> >>>>>> >>>>> >>> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>> >>>>>> >>>>>> But as this, which I also found on the mailinglists: >>>>>> >>>>>> NOTE: Only Kerberos authentication will work when accessing Samba >>>>>> shares using this method. This means that Windows clients not > joined >>>>>> to Active Directory forest trusted by IPA would not be able to > access >>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>> NTLMSSP authentication. >>>>>> >>>>>> It might not be that easy to have a Samba Shares only server. >>>>>> >>>>>> Any idea here how to accomplish ? >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Matt >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project