On Fri, 30 Oct 2015, Troels Hansen wrote:
Well, I think the problem here being that I miss the attributes.  One
"funny" thing being that apprently, some users have had ipantuserattrs
objectclass and a ipaNTSecurityIdentifier SID added. Some don't
(including mine).  Tried adding a new user, just to test, and this gets
created with a ipaNTSecurityIdentifier, however, my old users still
don't.  I guess I jute need a way to have IPA add ipantuserattrs and
ipaNTSecurityIdentifier to my existing users.
Not sure what you expect.

Modifying attributes for existing users takes time so we don't do it
automatically. When you run ipa-adtrust-install, it does ask you to run
a task that does the work of generating SIDs and adding needed
attributes/object classes.

However, ipaNTHash will not be there until either of two events happens:
- user changes password;
- user authenticates with Kerberos against Samba running on IPA master.



when running ipa-adtrust-install it finds 85 users without SID, and I
install the SID plugin (which is just 2 LDIF's), but this still doesn't
do anything.
*you* install the SID plugin or ipa-adtrust-install adds two plugins and
then runs a task to generate SIDs?


----- On Oct 29, 2015, at 8:16 PM, Joshua Doll <joshua.d...@gmail.com> wrote:

Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
--add-sids. I did notice when I was setting this up recently that I had to run
the adtrust-install command whenever I added new users or groups. I don't know
if it was just me being impatient or a limitation. Another thing I noticed that
is different between our two setups is I couldn't get this setup to work on a
separate host, I am running samba on the same host as my ipa service.

--Joshua D Doll

On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < t...@casalogic.dk > wrote:

Same result...

ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
ipaNTHash
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=casalogic,dc=lan> (default) with scope subtree
# filter: uid=th
# requesting: ipaNTHash
#

# th, users, compat, casalogic.lan
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

# th, users, accounts, casalogic.lan
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

# search result
search: 2

result: 0 Success

# numResponses: 3
# numEntries: 2

----- On Oct 29, 2015, at 7:45 PM, Joshua Doll < joshua.d...@gmail.com > wrote:

What about as directory manager?

--Joshua D Doll

On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < t...@casalogic.dk > wrote:

I should think so:

On IPA server.

ipa role-show 'CIFS server'
Role name: CIFS server
Privileges: CIFS server privilege
Member services: cifs/tinkerbell.casalogic....@casalogic.lan

ipa privilege-show 'CIFS server privilege'
Privilege name: CIFS server privilege
Permissions: CIFS test, CIFS server can read user passwords
Granting privilege to roles: CIFS server

ipa permission-show 'CIFS server can read user passwords'
Permission name: CIFS server can read user passwords
Granted rights: read, search, compare
Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
Bind rule type: permission
Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
Type: user
Granted to Privilege: CIFS server privilege
Indirect Member of roles: CIFS server

ipa-getkeytab -s kenai.casalogic.lan -p
cifs/tinkerbell.casalogic....@casalogic.lan -k /tmp/samba.keytab

samba.keytab copied to samba server.

on samba server (tinkerbell):
kdestroy -A
kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash

SASL/GSSAPI authentication started
SASL username: cifs/tinkerbell.casalogic....@casalogic.lan
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=casalogic,dc=lan> (default) with scope subtree
# filter: uid=th
# requesting: ipaNTHash
#

# th, users, compat, casalogic.lan
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

# th, users, accounts, casalogic.lan
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

# search result
search: 4
result: 0 Success

# numResponses: 3
# numEntries: 2

----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.d...@gmail.com > wrote:

Are you using the correct principal for the ldapsearch? Did you grant it
permissions to view those attributes?
--Joshua D Doll
On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < t...@casalogic.dk > wrote:

Hmm, weird.
I ran ipa-adtrust-install and it says it said it had user without SID's, and I
told it to generete SID's.
However, I still can't see them on the user.
a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.

ldapsearch -Y GSSAPI uid=th ipaNTHash
.......
# th, users, compat, casalogic.lan
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

# th, users, accounts, casalogic.lan
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

.....

Samba however starts fine now, but unable to find any users:
pdbedit -Lv
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
casalogic.lan

----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.d...@gmail.com > wrote:

To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
would be nice if there was a way to generate these values another way, maybe
there is but I missed it.

--Joshua D Doll

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--

Med venlig hilsen

Troels Hansen

Systemkonsulent

Casalogic A/S

T (+45) 70 20 10 63

M (+45) 22 43 71 57

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
meget mere.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--

Med venlig hilsen

Troels Hansen

Systemkonsulent

Casalogic A/S

T (+45) 70 20 10 63

M (+45) 22 43 71 57

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
meget mere.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--

Med venlig hilsen

Troels Hansen

Systemkonsulent

Casalogic A/S

T (+45) 70 20 10 63

M (+45) 22 43 71 57

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to