On Tue, Oct 27, 2015 at 10:03 AM Troels Hansen <t...@casalogic.dk> wrote:
> This might be related to the old thread
> but on the other side not quite, and can't see that it have been been
> I have been spending quite some time on this, but haven't been able to
> solve it yet.
> My problem is:
> I have a complete new infrastructure based om RedHat7 and CentOS7 servers.
> No Windows and defenently no AD, however we use Samba for sharing files to
> some clients.
> Clients is mostly Ubuntu based laptops, completely individually manages.
> No central user admin or anything.
> Users manage their own PC 100%.
> We have two IPA servers set up, and all Linux servers authenticate against
> IPA and all that works flawless.
> We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4,
> using the ipa migrate script and this also worked fine.
> Now comes the tricky part that I haven't been able to solve.
> I can't seem to set Samba to play with IPA.
> I have been trying to use plain old ldapsam backend, but never managed to
> get it to work.
> Seems Samba can't authenticate users.
> Tried ipasam backend, using kerberos, following the instructions from the
> old thread:
> Samba fails to start up, with a:
> 2015/10/27 14:13:42.127557, 0] ipa_sam.c:4478(pdb_init_ipasam)
> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
> domain. We cannot work reliably without it.
> [2015/10/27 14:13:42.127785, 0]
> pdb backend ipasam:"ldaps://kenai.casalogic.lan
> ldaps://koda.casalogic.lan" did not correctly init (error was
> If I look at tje users directly in LDAP, I can see they don't have a
> ipaNTHash or ipaNTSecurityIdentifier attribute, however have preserved
> their old LDAP-ish sambaLMPassword and sambaNTPassword
> I might be completely off, but I need Samba to authenticate users against
> IPA, using password, and not krb as I have no control over the clients.
> FreeIPA is currently 4.1
> Med venlig hilsen
> *Troels Hansen*
> Casalogic A/S
> T (+45) 70 20 10 63
> M (+45) 22 43 71 57
> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic>
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos
> og meget mere.
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run
the ipa-adtrust-install --add-sids, even though I was not setting up a
trust. It would be nice if there was a way to generate these values another
way, maybe there is but I missed it.
--Joshua D Doll
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project