On 06/06/16 12:42, Alexander Bokovoy wrote:
On Mon, 06 Jun 2016, lejeczek wrote:
SMB services with Kerberos require use of
cifs/<hostname> service
principal. Your keytab only has host/<hostname> keys,
and your AD
machine account for the <hostname> does not have
'cifs/<hostname>' SPN
defined. The latter is what causes smbclient -k to fail
-- AD DC
doesn't know about 'cifs/<hostname>' and refuses to
issue a service
ticket even before smbclient contacts Samba server.
Alexander, thanks!
yes, cifs needs to be in keytab file, smbclient to
itself(on smb server locally) works now with -k.
I wonder - should it also work with only passwords? It
does not, for me.
Users mapping concept (which I do not grasp completely
yet) - when an AD client (win10) now gets to samba shares
okey it is done with AD user credentials, win client sees
share like: [email protected] which user is not IPA's user
(there are no trusts no syncing).
I don't know details of what you have configured. For IPA
with trusts
both Kerberos and passwords should work when Samba is
running on IPA
master. For IPA client, we have procedure defined for
SSSD+Samba. For
anything else only Kerberos would work.
I emailed (this thread) most of the configs, if not all,
~two emails ago, last Friday.
Now, when you say mapping - this would be winbind/smb
translating/mapping AD's SIDs to match IPA's UIDs - which
is/would be different from syncying users from AD => IPA
,correct?
SIDs to UID/GID on the system. You seem to confuse a lot
in your emails
-- you are claiming that there is no IPA trust or sync in
place yet you
expect somehow things to magically work, I simply don't
understand your
situation to comment on it.
not magically, no, it's the same one box, IPA server and at
the same time samba(non-IPA, might be why smbclient without
kerberos does Not work) + sssd to an AD.
And now after fixing keytabs all seems to work ok, and no
winbind yet - thus my only question now is more about
concepts, which - yes - I don't grasp fully.
Yes I confuse, the way I understand is: my linux box now has
two separate user db backends, two different users catalogs,
first one is IPA's and the second is AD's via sssd(which
samba being an AD's client also uses) with no winbind at
this point.
Last thing I wonder is that SIDs/UIDs mapping - one: do I
want/need it? and if one then two: how to achieve it running
setup like mine?
Another thing, not having winbind in nsswitch (or not
having it at all), but still having sssd using AD -
should I be able to access
linux+sssd=>AD box with means like ssh? eg. ssh
[email protected]@swir.private.my.dom (I think I had it worked
with windbind in
nsswitch)
SSSD client as IPA client will work with passwords in AD
but only if
trust is established between IPA and AD.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
