On 06/06/16 12:42, Alexander Bokovoy wrote:
I emailed (this thread) most of the configs, if not all,
~two emails ago, last Friday.
On Mon, 06 Jun 2016, lejeczek wrote:
I don't know details of what you have configured. For IPA
both Kerberos and passwords should work when Samba is
running on IPA
master. For IPA client, we have procedure defined for
SMB services with Kerberos require use of
principal. Your keytab only has host/<hostname> keys,
and your AD
machine account for the <hostname> does not have
defined. The latter is what causes smbclient -k to fail
-- AD DC
doesn't know about 'cifs/<hostname>' and refuses to
issue a service
ticket even before smbclient contacts Samba server.
yes, cifs needs to be in keytab file, smbclient to
itself(on smb server locally) works now with -k.
I wonder - should it also work with only passwords? It
does not, for me.
Users mapping concept (which I do not grasp completely
yet) - when an AD client (win10) now gets to samba shares
okey it is done with AD user credentials, win client sees
share like: u...@my.dom which user is not IPA's user
(there are no trusts no syncing).
anything else only Kerberos would work.
not magically, no, it's the same one box, IPA server and at
the same time samba(non-IPA, might be why smbclient without
kerberos does Not work) + sssd to an AD.
And now after fixing keytabs all seems to work ok, and no
winbind yet - thus my only question now is more about
concepts, which - yes - I don't grasp fully.
Yes I confuse, the way I understand is: my linux box now has
two separate user db backends, two different users catalogs,
first one is IPA's and the second is AD's via sssd(which
samba being an AD's client also uses) with no winbind at
Last thing I wonder is that SIDs/UIDs mapping - one: do I
want/need it? and if one then two: how to achieve it running
setup like mine?
Now, when you say mapping - this would be winbind/smb
translating/mapping AD's SIDs to match IPA's UIDs - which
is/would be different from syncying users from AD => IPA
SIDs to UID/GID on the system. You seem to confuse a lot
in your emails
-- you are claiming that there is no IPA trust or sync in
place yet you
expect somehow things to magically work, I simply don't
situation to comment on it.
Another thing, not having winbind in nsswitch (or not
having it at all), but still having sssd using AD -
should I be able to access
SSSD client as IPA client will work with passwords in AD
but only if
linux+sssd=>AD box with means like ssh? eg. ssh
m...@firstname.lastname@example.org (I think I had it worked
with windbind in
trust is established between IPA and AD.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project