On Fri, 07 Aug 2015, Matt . wrote:
Hi Alexander,

Yes this is know, but it's not usable yet, at least not on an Ubuntu
Samba server as far as I know ?

If so, maybe you can help us out here to clear this up how to do it.
Sorry, I cannot help you with Ubuntu setup, you need to figure it out
yourself. I did write original instructions Youenn referred to, so I
know they work well and Youenn's configuration just proves that.

Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so
against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided
Samba build this way.

Anything you would do, you'd be out of supported way -- either when you
modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos.
I don't want to spend time on digging up unsupported configuration
details when the same time could be spent on improving FreeIPA 4.2 and
bringing SSSD+Samba setup closer to where we want to have it. Maybe it
sounds harsh but we have to decide what battles we think are more
important and to me this one is more important even considering my spare
time.

Thanks!

Matt

2015-08-07 23:09 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
On Thu, 06 Aug 2015, Christopher Lamb wrote:

Hi Matt

As far as I can make out, there are at least 2 viable Samba / FreeIPA
integration paths.

The route I took is suited where there is no Active Directory involved: In
my case all the Windows, OSX and Linux clients are islands that sit on the
same network.

The route that Youenn has taken (unless I have got completely the wrong
end
of the stick) requires Active Directory in the architecture.

Yes, you are at the wrong end of the stick. You don't need AD in the
architecture here. You can reuse IPA design for AD integration via trust
for normal Samba integration but use ipasam.so instead of ldapsam.so.
This is what Youenn did. The only way we don't support it (yet) is
because we think doing a longer term solution via SSSD and NTLMSSP
support is better scalability vise -- your SSSD client is already having
LDAP connection and is already holding identity mappings in the cache so
there is no need to run separate LDAP connection in smbd/winbindd for
that and cache the same data in a different way.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to