Yes I'm on the same path, but for now I would like to get it working
on Ubuntu for the time being.
Are you sure Ubuntu is no MIT ? We have discusses that some time ago
on IRC and it seemed to be that Ubuntu was build against MIT.
2015-08-07 23:37 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
> On Fri, 07 Aug 2015, Matt . wrote:
>> Hi Alexander,
>> Yes this is know, but it's not usable yet, at least not on an Ubuntu
>> Samba server as far as I know ?
>> If so, maybe you can help us out here to clear this up how to do it.
> Sorry, I cannot help you with Ubuntu setup, you need to figure it out
> yourself. I did write original instructions Youenn referred to, so I
> know they work well and Youenn's configuration just proves that.
> Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so
> against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided
> Samba build this way.
> Anything you would do, you'd be out of supported way -- either when you
> modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos.
> I don't want to spend time on digging up unsupported configuration
> details when the same time could be spent on improving FreeIPA 4.2 and
> bringing SSSD+Samba setup closer to where we want to have it. Maybe it
> sounds harsh but we have to decide what battles we think are more
> important and to me this one is more important even considering my spare
>> 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:
>>> On Thu, 06 Aug 2015, Christopher Lamb wrote:
>>>> Hi Matt
>>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA
>>>> integration paths.
>>>> The route I took is suited where there is no Active Directory involved:
>>>> my case all the Windows, OSX and Linux clients are islands that sit on
>>>> same network.
>>>> The route that Youenn has taken (unless I have got completely the wrong
>>>> of the stick) requires Active Directory in the architecture.
>>> Yes, you are at the wrong end of the stick. You don't need AD in the
>>> architecture here. You can reuse IPA design for AD integration via trust
>>> for normal Samba integration but use ipasam.so instead of ldapsam.so.
>>> This is what Youenn did. The only way we don't support it (yet) is
>>> because we think doing a longer term solution via SSSD and NTLMSSP
>>> support is better scalability vise -- your SSSD client is already having
>>> LDAP connection and is already holding identity mappings in the cache so
>>> there is no need to run separate LDAP connection in smbd/winbindd for
>>> that and cache the same data in a different way.
>>> / Alexander Bokovoy
>> Manage your subscription for the Freeipa-users mailing list:
>> Go to http://freeipa.org for more info on the project
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project