Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being.
Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. Cheers, Matt 2015-08-07 23:37 GMT+02:00 Alexander Bokovoy <[email protected]>: > On Fri, 07 Aug 2015, Matt . wrote: >> >> Hi Alexander, >> >> Yes this is know, but it's not usable yet, at least not on an Ubuntu >> Samba server as far as I know ? >> >> If so, maybe you can help us out here to clear this up how to do it. > > Sorry, I cannot help you with Ubuntu setup, you need to figure it out > yourself. I did write original instructions Youenn referred to, so I > know they work well and Youenn's configuration just proves that. > > Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so > against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided > Samba build this way. > > Anything you would do, you'd be out of supported way -- either when you > modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos. > I don't want to spend time on digging up unsupported configuration > details when the same time could be spent on improving FreeIPA 4.2 and > bringing SSSD+Samba setup closer to where we want to have it. Maybe it > sounds harsh but we have to decide what battles we think are more > important and to me this one is more important even considering my spare > time. > >> Thanks! >> >> Matt >> >> 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy <[email protected]>: >>> >>> On Thu, 06 Aug 2015, Christopher Lamb wrote: >>>> >>>> >>>> Hi Matt >>>> >>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>> integration paths. >>>> >>>> The route I took is suited where there is no Active Directory involved: >>>> In >>>> my case all the Windows, OSX and Linux clients are islands that sit on >>>> the >>>> same network. >>>> >>>> The route that Youenn has taken (unless I have got completely the wrong >>>> end >>>> of the stick) requires Active Directory in the architecture. >>> >>> >>> Yes, you are at the wrong end of the stick. You don't need AD in the >>> architecture here. You can reuse IPA design for AD integration via trust >>> for normal Samba integration but use ipasam.so instead of ldapsam.so. >>> This is what Youenn did. The only way we don't support it (yet) is >>> because we think doing a longer term solution via SSSD and NTLMSSP >>> support is better scalability vise -- your SSSD client is already having >>> LDAP connection and is already holding identity mappings in the cache so >>> there is no need to run separate LDAP connection in smbd/winbindd for >>> that and cache the same data in a different way. >>> >>> -- >>> / Alexander Bokovoy >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
