On 15/03/16 14:36, Alexander Bokovoy wrote:
On Tue, 15 Mar 2016, lejeczek wrote:
On 15/03/16 13:42, Rob Crittenden wrote:
lejeczek wrote:
On 14/03/16 17:06, Rob Crittenden wrote:
lejeczek wrote:
with...
ipa: ERROR: group LDAP search did not return any
result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass:
groupofuniquenames,
groupofnames)
I see users went in but later I realized that current
samba's ou was
"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists in
IPA.
thanks Rob, may I ask why process by defaults looks up
only objectclass:
groupofuniquenames, groupofnames?
It is conservative but this is why it can be overridden.
Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?
We haven't had many (any?) reports of migrating from
ldap+samba.
Lastly, is there a way to preserve account
locked/disabled status for
posix/samba?
I don't know how it is stored but as long as the schema
is available in
IPA then the values should be preserved on migration
unless the
attributes are associated with a blacklisted objectclass.
rob
last - this must most FAQ people wonder - can IPA's 389
backend be used in the same/similar fashion samba uses
ldap? skipping all the kerberos bits? (samba & IPA on the
same one box)
For Samba and IPA on the same box, this is configured
properly with
ipa-adtrust-install.
when I started I thought to make this samba<=>ipa chatter
more constructive I should do ... so I wound up with
samba(@openldap) having/using the same DN as IPA has in 389.
Will it work to do ipa-addtrust-install on that one box with
samba+ipa ?
many thanks
L.
It uses ipasam PASSDB module instead of ldapsam. This
module knows IPA
LDAP schema and is capable to do more than ldapsam, but
effectively you
can use resulting Samba setup in the same way as you do
with ldapsam.
The configuration is:
1. Install ipa-server-trust-ad (freeipa-server-trust-ad on
Fedora)
2. Run ipa-adtrust-install to configure both IPA and Samba.
3. Use 'net conf' tool to manage shares.
4. Use POSIX ACLs to set up access rights on the file
system. See
https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
for inspiration.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
