Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference).
It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET <piole...@gmail.com> To: "Matt ." <yamakasi....@gmail.com> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, "email@example.com" <firstname.lastname@example.org> Date: 04.08.2015 18:56 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the "local" option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7? Thanks a lot for your previous and future answers -- Youenn Piolet piole...@gmail.com 2015-08-04 17:55 GMT+02:00 Matt . <yamakasi....@gmail.com>: Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com >: > Hi Matt > > I assume [username] is a real username, identical to that in the FreeIPA > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > You user should be a member of the appropriate samba groups that you setup > in FreeIPA. > > You should check that the user attribute SambaPwdLastSet is set to a > positive value (e.g. 1). If not you get an error in the Samba logs - I > would need to play around again with a test user to find out the exact > error. > > I don't understand what you mean about syncing the users local, but we did > not need to do anything like that. > > Chris > > > > > From: "Matt ." <yamakasi....@gmail.com> > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: "email@example.com" <firstname.lastname@example.org> > Date: 04.08.2015 15:33 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > A puppet run added another passdb backend, that was causing my issue. > > What I still experience is: > > > [2015/08/04 15:29:45.477783, 3] > ../source3/auth/check_samsec.c:399(check_sam_security) > check_sam_security: Couldn't find user 'username' in passdb. > [2015/08/04 15:29:45.478026, 2] > ../source3/auth/auth.c:288(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [username] -> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > I also wonder if I shall still sync the users local, or is it needed ? > > Thanks again, > > Matt > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < christopher.l...@ch.ibm.com>: >> Hi Matt >> >> From our smb.conf file: >> >> [global] >> security = user >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >> ldap admin dn = cn=Directory Manager >> >> So yes, we use Directory Manager, it works for us. I have not tried with > a >> less powerful user, but it is conceivable that a lesser user may not see >> all the required attributes, resulting in "no such user" errors. >> >> Chris >> >> >> >> >> From: "Matt ." <yamakasi....@gmail.com> >> To: Christopher Lamb/Switzerland/IBM@IBMCH >> Cc: "email@example.com" <firstname.lastname@example.org> >> Date: 04.08.2015 13:32 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> >> Matt >> >> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project