This might be related to the old thread
https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html but on
the other side not quite, and can't see that it have been been solved.
I have been spending quite some time on this, but haven't been able to solve it
My problem is:
I have a complete new infrastructure based om RedHat7 and CentOS7 servers.
No Windows and defenently no AD, however we use Samba for sharing files to some
Clients is mostly Ubuntu based laptops, completely individually manages. No
central user admin or anything.
Users manage their own PC 100%.
We have two IPA servers set up, and all Linux servers authenticate against IPA
and all that works flawless.
We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4, using the
ipa migrate script and this also worked fine.
Now comes the tricky part that I haven't been able to solve.
I can't seem to set Samba to play with IPA.
I have been trying to use plain old ldapsam backend, but never managed to get
it to work.
Seems Samba can't authenticate users.
Tried ipasam backend, using kerberos, following the instructions from the old
Samba fails to start up, with a:
2015/10/27 14:13:42.127557, 0] ipa_sam.c:4478(pdb_init_ipasam)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain. We cannot work reliably without it.
[2015/10/27 14:13:42.127785, 0]
pdb backend ipasam:"ldaps://kenai.casalogic.lan ldaps://koda.casalogic.lan" did
not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
If I look at tje users directly in LDAP, I can see they don't have a ipaNTHash
or ipaNTSecurityIdentifier attribute, however have preserved their old LDAP-ish
sambaLMPassword and sambaNTPassword
I might be completely off, but I need Samba to authenticate users against IPA,
using password, and not krb as I have no control over the clients.
FreeIPA is currently 4.1
Med venlig hilsen
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project