On Tue, Oct 27, 2015 at 10:03 AM Troels Hansen <[email protected]> wrote:
> This might be related to the old thread > https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html > but on the other side not quite, and can't see that it have been been > solved. > > I have been spending quite some time on this, but haven't been able to > solve it yet. > > My problem is: > > I have a complete new infrastructure based om RedHat7 and CentOS7 servers. > No Windows and defenently no AD, however we use Samba for sharing files to > some clients. > > Clients is mostly Ubuntu based laptops, completely individually manages. > No central user admin or anything. > Users manage their own PC 100%. > > We have two IPA servers set up, and all Linux servers authenticate against > IPA and all that works flawless. > > We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4, > using the ipa migrate script and this also worked fine. > > Now comes the tricky part that I haven't been able to solve. > > I can't seem to set Samba to play with IPA. > > I have been trying to use plain old ldapsam backend, but never managed to > get it to work. > Seems Samba can't authenticate users. > > Tried ipasam backend, using kerberos, following the instructions from the > old thread: > https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html > Samba fails to start up, with a: > 2015/10/27 14:13:42.127557, 0] ipa_sam.c:4478(pdb_init_ipasam) > pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the > domain. We cannot work reliably without it. > [2015/10/27 14:13:42.127785, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > pdb backend ipasam:"ldaps://kenai.casalogic.lan > ldaps://koda.casalogic.lan" did not correctly init (error was > NT_STATUS_CANT_ACCESS_DOMAIN_INFO) > > If I look at tje users directly in LDAP, I can see they don't have a > ipaNTHash or ipaNTSecurityIdentifier attribute, however have preserved > their old LDAP-ish sambaLMPassword and sambaNTPassword > > I might be completely off, but I need Samba to authenticate users against > IPA, using password, and not krb as I have no control over the clients. > > FreeIPA is currently 4.1 > > -- > > Med venlig hilsen > > *Troels Hansen* > > Systemkonsulent > > Casalogic A/S > > T (+45) 70 20 10 63 > > M (+45) 22 43 71 57 > <http://www.casalogic.dk/signatur/th.vcf> > <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic> > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos > og meget mere. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the ipa-adtrust-install --add-sids, even though I was not setting up a trust. It would be nice if there was a way to generate these values another way, maybe there is but I missed it. --Joshua D Doll
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
