On 15/03/16 14:36, Alexander Bokovoy wrote:
when I started I thought to make this samba<=>ipa chatter
more constructive I should do ... so I wound up with
samba(@openldap) having/using the same DN as IPA has in 389.
Will it work to do ipa-addtrust-install on that one box with
On Tue, 15 Mar 2016, lejeczek wrote:
For Samba and IPA on the same box, this is configured
On 15/03/16 13:42, Rob Crittenden wrote:
last - this must most FAQ people wonder - can IPA's 389
backend be used in the same/similar fashion samba uses
ldap? skipping all the kerberos bits? (samba & IPA on the
same one box)
On 14/03/16 17:06, Rob Crittenden wrote:
thanks Rob, may I ask why process by defaults looks up
Yes. It will skip over anything that already exists in
ipa: ERROR: group LDAP search did not return any
result (search base:
I see users went in but later I realized that current
samba's ou was
"group" not groups.
Can I just re-run migrations?
It is conservative but this is why it can be overridden.
We haven't had many (any?) reports of migrating from
Is there a reason it skips ldap+samba typical posixGroup &
Lastly, is there a way to preserve account
locked/disabled status for
I don't know how it is stored but as long as the schema
is available in
IPA then the values should be preserved on migration
attributes are associated with a blacklisted objectclass.
It uses ipasam PASSDB module instead of ldapsam. This
module knows IPA
LDAP schema and is capable to do more than ldapsam, but
can use resulting Samba setup in the same way as you do
The configuration is:
1. Install ipa-server-trust-ad (freeipa-server-trust-ad on
2. Run ipa-adtrust-install to configure both IPA and Samba.
3. Use 'net conf' tool to manage shares.
4. Use POSIX ACLs to set up access rights on the file
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project