My Samba server and IPA server are different machines too. I made LDAP replication IPA-SAMBA ( ). Unfortunately, it makes full replication (not only ldap-server), but it works. My Windows machine are not joined to a domain.

12.10.2016 03:43, Alan Latteri пишет:
I am trying to get this to work, but our Samba server is not the same machine as out IPA server, and these instructions seem to assume that. Any ideas? All I need is the 1 windows machine in our network to be able to access our linux based server, using the same user/pass as that of our IPA authenticated linux machines.

On Oct 10, 2016, at 1:35 PM, Степаненко Алексей < <>> wrote:

I read again the topic
It works exactly as I wanted

 ipa-adtrust-install created next configuration:

$ net conf list
        workgroup = WORKGROUP
        netbios name = SMB
        realm = GW.SPB.RU
        kerberos method = dedicated keytab
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        create krb5 conf = no
        security = user
        domain master = yes
        domain logons = yes
        log level = 1
        max log size = 100000
        log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
        disable spoolss = yes
        ldapsam:trusted = yes
        ldap ssl = off
        ldap suffix = dc=gw,dc=spb,dc=ru
        ldap user suffix = cn=users,cn=accounts
        ldap group suffix = cn=groups,cn=accounts
        ldap machine suffix = cn=computers,cn=accounts
        rpc_server:epmapper = external
        rpc_server:lsarpc = external
        rpc_server:lsass = external
        rpc_server:lsasd = external
        rpc_server:samr = external
        rpc_server:netlogon = external
        rpc_server:tcpip = yes
        rpc_daemon:epmd = fork
        rpc_daemon:lsasd = fork

But I don't understand why it wasn't put to smb.conf directly.

The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved.

06.10.2016 23:51, Степаненко Алексей пишет:
Thank you for your reply.

I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops.

I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba.

I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things.

06.10.2016 20:31, Loris Santamaria пишет:
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.

What do you want to achieve with samba, and what is your current setup?

El jue, 06-10-2016 a las 19:23 +0300, Степаненко Алексей escribió:

I've read the topic about FreeIPA and SAMBA

If I understand clearly, samba's client must be present in
FreeIPA  AD.
Unfortunately, it does not work for me. I can't join some work
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support

          ldap admin dn
          ldap group suffix
          ldap idmap suffix
          ldap machine suffix
          ldap passwd sync
          ldap suffix
          ldap user suffix

Does it work with IPA ?


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

С уважением,
Степаненко Алексей,
Руководитель группы информационных технологий,
ООО "Глобал Веб Групп"
Сайт: http//
Тел.: +7 (812) 409-00-90

Attachment: smime.p7s
Description: ипогаиека подпи S/MIME

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to