On Fri, Oct 30, 2015 at 10:53:47AM +0100, Troels Hansen wrote: > Well, I think the problem here being that I miss the attributes. > One "funny" thing being that apprently, some users have had ipantuserattrs > objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including > mine). > Tried adding a new user, just to test, and this gets created with a > ipaNTSecurityIdentifier, however, my old users still don't. > I guess I jute need a way to have IPA add ipantuserattrs and > ipaNTSecurityIdentifier to my existing users. > > when running ipa-adtrust-install it finds 85 users without SID, and I install > the SID plugin (which is just 2 LDIF's), but this still doesn't do anything.
Did you run ipa-adtrust-install with the '--add-sids' option? About ipaNTHash, this is not created by ipa-adtrust-install or any other tool. For the integrated smbd the NT hash is derived from a suitable Kerberos key by adding a magic keyword to the ipaNTHash attribute. You can try to do this manually with the following steps: - The principal used by the internal smdb has the right permissions to add the attribute: kinit -k -t /etc/samba/samba.keytab cifs/ipa.server@IPA.DOMAIN - write the magic keyword MagicRegen into the ipaNTHash attribute of the user ldapmodify -Y GSSAPI -H ldap://ipa-devel.ipa.devel << END dn: uid=ipa_user,cn=users,cn=accounts,dc=ipa,dc=domain changetype: modify add: ipaNTHash ipaNTHash: MagicRegen END If a suitable Kerberos key was available the user object now has the ipaNTHash attribute set with the right NT hash value. HTH bye, Sumit > > ----- On Oct 29, 2015, at 8:16 PM, Joshua Doll <joshua.d...@gmail.com> wrote: > > > Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install > > --add-sids. I did notice when I was setting this up recently that I had to > > run > > the adtrust-install command whenever I added new users or groups. I don't > > know > > if it was just me being impatient or a limitation. Another thing I noticed > > that > > is different between our two setups is I couldn't get this setup to work on > > a > > separate host, I am running samba on the same host as my ipa service. > > > --Joshua D Doll > > > On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < t...@casalogic.dk > wrote: > > >> Same result... > > >> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th > >> ipaNTHash > >> Enter LDAP Password: > >> # extended LDIF > >> # > >> # LDAPv3 > >> # base <dc=casalogic,dc=lan> (default) with scope subtree > >> # filter: uid=th > >> # requesting: ipaNTHash > >> # > > >> # th, users, compat, casalogic.lan > >> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan > > >> # th, users, accounts, casalogic.lan > >> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan > > >> # search result > >> search: 2 > > >> result: 0 Success > > >> # numResponses: 3 > >> # numEntries: 2 > > >> ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll < joshua.d...@gmail.com > > >> wrote: > > >>> What about as directory manager? > > >>> --Joshua D Doll > > >>> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < t...@casalogic.dk > wrote: > > >>>> I should think so: > > >>>> On IPA server. > > >>>> ipa role-show 'CIFS server' > >>>> Role name: CIFS server > >>>> Privileges: CIFS server privilege > >>>> Member services: cifs/tinkerbell.casalogic....@casalogic.lan > > >>>> ipa privilege-show 'CIFS server privilege' > >>>> Privilege name: CIFS server privilege > >>>> Permissions: CIFS test, CIFS server can read user passwords > >>>> Granting privilege to roles: CIFS server > > >>>> ipa permission-show 'CIFS server can read user passwords' > >>>> Permission name: CIFS server can read user passwords > >>>> Granted rights: read, search, compare > >>>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier > >>>> Bind rule type: permission > >>>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan > >>>> Type: user > >>>> Granted to Privilege: CIFS server privilege > >>>> Indirect Member of roles: CIFS server > > >>>> ipa-getkeytab -s kenai.casalogic.lan -p > >>>> cifs/tinkerbell.casalogic....@casalogic.lan -k /tmp/samba.keytab > > >>>> samba.keytab copied to samba server. > > >>>> on samba server (tinkerbell): > >>>> kdestroy -A > >>>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan > >>>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash > > >>>> SASL/GSSAPI authentication started > >>>> SASL username: cifs/tinkerbell.casalogic....@casalogic.lan > >>>> SASL SSF: 56 > >>>> SASL data security layer installed. > >>>> # extended LDIF > >>>> # > >>>> # LDAPv3 > >>>> # base <dc=casalogic,dc=lan> (default) with scope subtree > >>>> # filter: uid=th > >>>> # requesting: ipaNTHash > >>>> # > > >>>> # th, users, compat, casalogic.lan > >>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan > > >>>> # th, users, accounts, casalogic.lan > >>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan > > >>>> # search result > >>>> search: 4 > >>>> result: 0 Success > > >>>> # numResponses: 3 > >>>> # numEntries: 2 > > >>>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.d...@gmail.com > > >>>> wrote: > > >>>>> Are you using the correct principal for the ldapsearch? Did you grant it > >>>>> permissions to view those attributes? > >>>>> --Joshua D Doll > >>>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < t...@casalogic.dk > > >>>>> wrote: > > >>>>>> Hmm, weird. > >>>>>> I ran ipa-adtrust-install and it says it said it had user without > >>>>>> SID's, and I > >>>>>> told it to generete SID's. > >>>>>> However, I still can't see them on the user. > >>>>>> a IPA-db doesn't reveal them being generated and I can't look them up > >>>>>> via LDAP. > > >>>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash > >>>>>> ....... > >>>>>> # th, users, compat, casalogic.lan > >>>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan > > >>>>>> # th, users, accounts, casalogic.lan > >>>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan > > >>>>>> ..... > > >>>>>> Samba however starts fine now, but unable to find any users: > >>>>>> pdbedit -Lv > >>>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain > >>>>>> casalogic.lan > > >>>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.d...@gmail.com > >>>>>> > wrote: > > >>>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to > >>>>>>> run the > >>>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a > >>>>>>> trust. It > >>>>>>> would be nice if there was a way to generate these values another > >>>>>>> way, maybe > >>>>>>> there is but I missed it. > > >>>>>>> --Joshua D Doll > > >>>>>>> -- > >>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>> Go to http://freeipa.org for more info on the project > > >>>>>> -- > >>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>> Go to http://freeipa.org for more info on the project > >>>>> -- > >>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>> Go to http://freeipa.org for more info on the project > > >>>> -- > > >>>> Med venlig hilsen > > >>>> Troels Hansen > > >>>> Systemkonsulent > > >>>> Casalogic A/S > > >>>> T (+45) 70 20 10 63 > > >>>> M (+45) 22 43 71 57 > > >>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, > >>>> Sophos og > >>>> meget mere. > > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > > >> -- > > >> Med venlig hilsen > > >> Troels Hansen > > >> Systemkonsulent > > >> Casalogic A/S > > >> T (+45) 70 20 10 63 > > >> M (+45) 22 43 71 57 > > >> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos > >> og > >> meget mere. > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > > Med venlig hilsen > > Troels Hansen > > Systemkonsulent > > Casalogic A/S > > T (+45) 70 20 10 63 > > M (+45) 22 43 71 57 > > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og > meget mere. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project