This might be related to the old thread but on 
the other side not quite, and can't see that it have been been solved. 

I have been spending quite some time on this, but haven't been able to solve it 

My problem is: 

I have a complete new infrastructure based om RedHat7 and CentOS7 servers. 
No Windows and defenently no AD, however we use Samba for sharing files to some 

Clients is mostly Ubuntu based laptops, completely individually manages. No 
central user admin or anything. 
Users manage their own PC 100%. 

We have two IPA servers set up, and all Linux servers authenticate against IPA 
and all that works flawless. 

We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4, using the 
ipa migrate script and this also worked fine. 

Now comes the tricky part that I haven't been able to solve. 

I can't seem to set Samba to play with IPA. 

I have been trying to use plain old ldapsam backend, but never managed to get 
it to work. 
Seems Samba can't authenticate users. 

Tried ipasam backend, using kerberos, following the instructions from the old 
Samba fails to start up, with a: 
2015/10/27 14:13:42.127557, 0] ipa_sam.c:4478(pdb_init_ipasam) 
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the 
domain. We cannot work reliably without it. 
[2015/10/27 14:13:42.127785, 0] 
pdb backend ipasam:"ldaps://kenai.casalogic.lan ldaps://koda.casalogic.lan" did 
not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) 

If I look at tje users directly in LDAP, I can see they don't have a ipaNTHash 
or ipaNTSecurityIdentifier attribute, however have preserved their old LDAP-ish 
sambaLMPassword and sambaNTPassword 

I might be completely off, but I need Samba to authenticate users against IPA, 
using password, and not krb as I have no control over the clients. 

FreeIPA is currently 4.1 


Med venlig hilsen 

Troels Hansen 


Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to