Hi Matt, Youeen

Just to set the background properly, I did not invent this process. I know
only a little about FreeIPA, and almost nothing about Samba, but I guess I
was lucky enough to get the integration working on a Sunday afternoon. (I
did have an older FreeIPA 3.x / Samba 3.x installation as a reference).

It sounds like we need to step back, and look at the test user and group in
the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier.

My FreeIPA / Samba Users have the following Samba extensions in FreeIPA
(cn=accounts, cn=users):

* objectClass: sambasamaccount

* Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet

My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA
(cn=accounts, cn=groups):

* objectClass: sambaGroupMapping

* Attributes: sambaGroupType, sambaSID

The Users must belong to one or more of the samba groups that you have

If you don't have something similar to the above (which sounds like it is
the case), then something went wrong applying the extensions. It would be
worth testing comparing a new user / group created post adding the
extensions to a previous existing user.

are the extensions missing on existing users / groups?
are the extensions missing on new users / groups?



From:   Youenn PIOLET <piole...@gmail.com>
To:     "Matt ." <yamakasi....@gmail.com>
Cc:     Christopher Lamb/Switzerland/IBM@IBMCH,
            "freeipa-users@redhat.com" <freeipa-users@redhat.com>
Date:   04.08.2015 18:56
Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi there,

I have difficulties to follow you at this point :)
Here is what I've done and what I've understood:

## SMB Side
- Testparm OK
- I've got the same NT_STATUS_NO_SUCH_USER when I try to connect.
- pdbedit -Lv output is all successfull but I can see there is a filter :
(&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have

## LDAP / FreeIPA side
- Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA
server to get samba LDAP extensions.
- I can see samba classes exist in LDAP but are not used on my group
objects nor my user objects
- I have add sambaSamAccount in FreeIPA default user classes,
and sambaGroupMapping to default group classes. In that state I can't
create user nor groups anymore, as new samba attributes are needed for
- I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true'
but I don't get what it does.
- I tried to add the samba.js plugin. It works, and adds the "local" option
when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2
(domain). It doesn't work and tells that sambagrouptype attribute doesn't
exist (but it should now I put sambaGroupType class by default...)

## Questions
0) Can I ask samba not to search sambaSamAccount and use unix / posix
instead? I guess no.
1) How to generate the user/group SIDs ? They are requested to add
sambaSamAccount classes.
This article doesn't seem relevant since we don't use domain controller
and netgetlocalsid returns an error.
2) How to fix samba.js plugin?
3) I guess an equivalent of samba.js is needed for user creation, where can
I find it?
4) Is your setup working with Windows 8 / Windows 10 and not only Windows

Thanks a lot for your previous and future answers

Youenn Piolet

2015-08-04 17:55 GMT+02:00 Matt . <yamakasi....@gmail.com>:

  Yes, log is anonymised.

  It's strange, my user doesn't have a SambaPwdLastSet, also when I
  change it's password it doesn't get it in ldap.

  There must be something going wrong I guess.


  2015-08-04 17:45 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com
  > Hi Matt
  > I assume [username] is a real username, identical to that in the
  > cn=accounts, cn=users tree? (i.e. you anonymised the log extract).
  > You user should be a member of the appropriate samba groups that you
  > in FreeIPA.
  > You should check that the user attribute SambaPwdLastSet is set to a
  > positive value (e.g. 1). If not you get an error in the Samba logs - I
  > would need to play around again with a test user to find out the exact
  > error.
  > I don't understand what you mean about syncing the users local, but we
  > not need to do anything like that.
  > Chris
  > From:   "Matt ." <yamakasi....@gmail.com>
  > To:     Christopher Lamb/Switzerland/IBM@IBMCH
  > Cc:     "freeipa-users@redhat.com" <freeipa-users@redhat.com>
  > Date:   04.08.2015 15:33
  > Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
  > Hi Chris,
  > A puppet run added another passdb backend, that was causing my issue.
  > What I still experience is:
  > [2015/08/04 15:29:45.477783,  3]
  > ../source3/auth/check_samsec.c:399(check_sam_security)
  >   check_sam_security: Couldn't find user 'username' in passdb.
  > [2015/08/04 15:29:45.478026,  2]
  > ../source3/auth/auth.c:288(auth_check_ntlm_password)
  >   check_ntlm_password:  Authentication for user [username] ->
  > [username] FAILED with error NT_STATUS_NO_SUCH_USER
  > I also wonder if I shall still sync the users local, or is it needed ?
  > Thanks again,
  > Matt
  > 2015-08-04 14:16 GMT+02:00 Christopher Lamb <
  >> Hi Matt
  >> From our smb.conf file:
  >> [global]
  >>    security = user
  >>    passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com
  >>    ldap suffix = dc=my,dc=silly,dc=example,dc=com
  >>    ldap admin dn = cn=Directory Manager
  >> So yes, we use Directory Manager, it works for us. I have not tried
  > a
  >> less powerful user, but it is conceivable that a lesser user may not
  >> all the required attributes, resulting in "no such user" errors.
  >> Chris
  >> From:   "Matt ." <yamakasi....@gmail.com>
  >> To:     Christopher Lamb/Switzerland/IBM@IBMCH
  >> Cc:     "freeipa-users@redhat.com" <freeipa-users@redhat.com>
  >> Date:   04.08.2015 13:32
  >> Subject:        Re: [Freeipa-users] Ubuntu Samba Server Auth against
  >> Hi Chris,
  >> Thanks for the heads up, indeed local is 4 I see now when I add a
  >> group from the GUI, great thanks!
  >> But do you use Directory Manager as ldap admin user or some other
  >> admin account ?
  >> I'm not sure id DM is needed and it should get that deep into IPA.
  >> Also when starting samba it cannot find "such user" as that sounds
  >> quite known as it has no UID.
  >> From your config I see you use DM, this should work ?
  >> Thanks!
  >> Matt

  Manage your subscription for the Freeipa-users mailing list:
  Go to http://freeipa.org for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to