On 15/03/16 14:36, Alexander Bokovoy wrote:
On Tue, 15 Mar 2016, lejeczek wrote:
On 15/03/16 13:42, Rob Crittenden wrote:
lejeczek wrote:
On 14/03/16 17:06, Rob Crittenden wrote:
lejeczek wrote:

ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists in IPA.
thanks Rob, may I ask why process by defaults looks up only objectclass:
groupofuniquenames, groupofnames?
It is conservative but this is why it can be overridden.

Is there a reason it skips ldap+samba typical posixGroup &
We haven't had many (any?) reports of migrating from ldap+samba.

Lastly, is there a way to preserve account locked/disabled status for
I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.


last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box)
For Samba and IPA on the same box, this is configured properly with
when I started I thought to make this samba<=>ipa chatter more constructive I should do ... so I wound up with samba(@openldap) having/using the same DN as IPA has in 389. Will it work to do ipa-addtrust-install on that one box with samba+ipa ?
many thanks

It uses ipasam PASSDB module instead of ldapsam. This module knows IPA LDAP schema and is capable to do more than ldapsam, but effectively you can use resulting Samba setup in the same way as you do with ldapsam.

The configuration is:

1. Install ipa-server-trust-ad (freeipa-server-trust-ad on Fedora)
2. Run ipa-adtrust-install to configure both IPA and Samba.
3. Use 'net conf' tool to manage shares.
4. Use POSIX ACLs to set up access rights on the file system. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
for inspiration.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to