Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
--add-sids. I did notice when I was setting this up recently that I had to
run the adtrust-install command whenever I added new users or groups. I
don't know if it was just me being impatient or a limitation. Another thing
I noticed that is different between our two setups is I couldn't get this
setup to work on a separate host, I am running samba on the same host as my
ipa service.

--Joshua D Doll

On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen <t...@casalogic.dk> wrote:

> Same result...
>
> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
> ipaNTHash
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=casalogic,dc=lan> (default) with scope subtree
> # filter: uid=th
> # requesting: ipaNTHash
> #
>
> # th, users, compat, casalogic.lan
> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>
> # th, users, accounts, casalogic.lan
> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>
> # search result
> search: 2
>
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
> ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll <joshua.d...@gmail.com>
> wrote:
>
> What about as directory manager?
>
> --Joshua D Doll
>
> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen <t...@casalogic.dk> wrote:
>
>> I should think so:
>>
>> On IPA server.
>>
>> ipa role-show 'CIFS server'
>>   Role name: CIFS server
>>   Privileges: CIFS server privilege
>>   Member services: cifs/tinkerbell.casalogic....@casalogic.lan
>>
>> ipa privilege-show 'CIFS server privilege'
>>   Privilege name: CIFS server privilege
>>   Permissions: CIFS test, CIFS server can read user passwords
>>   Granting privilege to roles: CIFS server
>>
>> ipa permission-show 'CIFS server can read user passwords'
>>   Permission name: CIFS server can read user passwords
>>   Granted rights: read, search, compare
>>   Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>>   Bind rule type: permission
>>   Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>>   Type: user
>>   Granted to Privilege: CIFS server privilege
>>   Indirect Member of roles: CIFS server
>>
>> ipa-getkeytab -s kenai.casalogic.lan -p
>> cifs/tinkerbell.casalogic....@casalogic.lan -k /tmp/samba.keytab
>>
>> samba.keytab copied to samba server.
>>
>> on samba server (tinkerbell):
>> kdestroy -A
>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
>>
>> SASL/GSSAPI authentication started
>> SASL username: cifs/tinkerbell.casalogic....@casalogic.lan
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>> # filter: uid=th
>> # requesting: ipaNTHash
>> #
>>
>>
>> # th, users, compat, casalogic.lan
>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>>
>> # th, users, accounts, casalogic.lan
>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>>
>> # search result
>> search: 4
>> result: 0 Success
>>
>> # numResponses: 3
>> # numEntries: 2
>>
>>
>>
>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <joshua.d...@gmail.com>
>> wrote:
>>
>> Are you using the correct principal for the ldapsearch? Did you grant it
>> permissions to view those attributes?
>> --Joshua D Doll
>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen <t...@casalogic.dk> wrote:
>>
>>> Hmm, weird.
>>> I ran ipa-adtrust-install and it says it said it had user without SID's,
>>> and I told it to generete SID's.
>>> However, I still can't see them on the user.
>>> a IPA-db doesn't reveal them being generated and I can't look them up
>>> via LDAP.
>>>
>>> ldapsearch -Y GSSAPI uid=th ipaNTHash
>>> .......
>>> # th, users, compat, casalogic.lan
>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>>>
>>> # th, users, accounts, casalogic.lan
>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>>>
>>> .....
>>>
>>> Samba however starts fine now, but unable to find any users:
>>> pdbedit -Lv
>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>>> casalogic.lan
>>>
>>>
>>>
>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll <joshua.d...@gmail.com>
>>> wrote:
>>>
>>>
>>>
>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to
>>> run the ipa-adtrust-install --add-sids, even though I was not setting up a
>>> trust. It would be nice if there was a way to generate these values another
>>> way, maybe there is but I missed it.
>>>
>>> --Joshua D Doll
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>> --
>>
>> Med venlig hilsen
>>
>> *Troels Hansen*
>>
>> Systemkonsulent
>>
>> Casalogic A/S
>>
>> T  (+45) 70 20 10 63
>>
>> M (+45) 22 43 71 57
>> <http://www.casalogic.dk/signatur/th.vcf>
>> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic>
>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos
>> og meget mere.
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
> --
>
> Med venlig hilsen
>
> *Troels Hansen*
>
> Systemkonsulent
>
> Casalogic A/S
>
> T  (+45) 70 20 10 63
>
> M (+45) 22 43 71 57
> <http://www.casalogic.dk/signatur/th.vcf>
> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic>
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos
> og meget mere.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to