Re: [Freeipa-users] Add "mkhomedir" after install

[Joshua Doll]

I usually just run

authconfig --enablemkhomedir

--Joshua D Doll

On Wed, Dec 9, 2015 at 1:46 PM Ranbir  wrote:

> Hello Everyone,
>
> I installed a replica without passing the "mkhomedir" option to the
> install command. Sure enough, when I login to the replica, my home dir
> isn't created. I _could_ create it manually, but it would be nice if the
> first login triggered the creation.
>
> I've been trying to find an answer to this on my own, but so far I've
> had no luck.
>
> Thanks in advance!
>
> --
> Ranbir
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

[Joshua Doll]

Are you using the correct principal for the ldapsearch? Did you grant it
permissions to view those attributes?
--Joshua D Doll
On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen <t...@casalogic.dk> wrote:

> Hmm, weird.
> I ran ipa-adtrust-install and it says it said it had user without SID's,
> and I told it to generete SID's.
> However, I still can't see them on the user.
> a IPA-db doesn't reveal them being generated and I can't look them up via
> LDAP.
>
> ldapsearch -Y GSSAPI uid=th ipaNTHash
> ...
> # th, users, compat, casalogic.lan
> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>
> # th, users, accounts, casalogic.lan
> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>
> .
>
> Samba however starts fine now, but unable to find any users:
> pdbedit -Lv
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
> casalogic.lan
>
>
>
> - On Oct 27, 2015, at 3:46 PM, Joshua Doll <joshua.d...@gmail.com>
> wrote:
>
>
>
> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run
> the ipa-adtrust-install --add-sids, even though I was not setting up a
> trust. It would be nice if there was a way to generate these values another
> way, maybe there is but I missed it.
>
> --Joshua D Doll
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

[Joshua Doll]

What about as directory manager?

--Joshua D Doll

On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen  wrote:

> I should think so:
>
> On IPA server.
>
> ipa role-show 'CIFS server'
>   Role name: CIFS server
>   Privileges: CIFS server privilege
>   Member services: cifs/tinkerbell.casalogic@casalogic.lan
>
> ipa privilege-show 'CIFS server privilege'
>   Privilege name: CIFS server privilege
>   Permissions: CIFS test, CIFS server can read user passwords
>   Granting privilege to roles: CIFS server
>
> ipa permission-show 'CIFS server can read user passwords'
>   Permission name: CIFS server can read user passwords
>   Granted rights: read, search, compare
>   Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>   Bind rule type: permission
>   Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>   Type: user
>   Granted to Privilege: CIFS server privilege
>   Indirect Member of roles: CIFS server
>
> ipa-getkeytab -s kenai.casalogic.lan -p
> cifs/tinkerbell.casalogic@casalogic.lan -k /tmp/samba.keytab
>
> samba.keytab copied to samba server.
>
> on samba server (tinkerbell):
> kdestroy -A
> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
>
> SASL/GSSAPI authentication started
> SASL username: cifs/tinkerbell.casalogic@casalogic.lan
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: [Freeipa-users] FreeIPA and Samba4

[Joshua Doll]

Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
--add-sids. I did notice when I was setting this up recently that I had to
run the adtrust-install command whenever I added new users or groups. I
don't know if it was just me being impatient or a limitation. Another thing
I noticed that is different between our two setups is I couldn't get this
setup to work on a separate host, I am running samba on the same host as my
ipa service.

--Joshua D Doll

On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen  wrote:

> Same result...
>
> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
> ipaNTHash
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base 

Re: [Freeipa-users] FreeIPA and Samba4

[Joshua Doll]

On Tue, Oct 27, 2015 at 10:03 AM Troels Hansen  wrote:

> This might be related to the old thread
> https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html
> but on the other side not quite, and can't see that it have been been
> solved.
>
> I have been spending quite some time on this, but haven't been able to
> solve it yet.
>
> My problem is:
>
> I have a complete new infrastructure based om RedHat7 and CentOS7 servers.
> No Windows and defenently no AD, however we use Samba for sharing files to
> some clients.
>
> Clients is mostly Ubuntu based laptops, completely individually manages.
> No central user admin or anything.
> Users manage their own PC 100%.
>
> We have two IPA servers set up, and all Linux servers authenticate against
> IPA and all that works flawless.
>
> We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4,
> using the ipa migrate script and this also worked fine.
>
> Now comes the tricky part that I haven't been able to solve.
>
> I can't seem to set Samba to play with IPA.
>
> I have been trying to use plain old ldapsam backend, but never managed to
> get it to work.
> Seems Samba can't authenticate users.
>
> Tried ipasam backend, using kerberos, following the instructions from the
> old thread:
> https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html
> Samba fails to start up, with a:
> 2015/10/27 14:13:42.127557,  0] ipa_sam.c:4478(pdb_init_ipasam)
>   pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
> domain. We cannot work reliably without it.
> [2015/10/27 14:13:42.127785,  0]
> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name)
>   pdb backend ipasam:"ldaps://kenai.casalogic.lan
> ldaps://koda.casalogic.lan" did not correctly init (error was
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>
> If I look at tje users directly in LDAP, I can see they don't have a
> ipaNTHash or ipaNTSecurityIdentifier attribute, however have preserved
> their old LDAP-ish sambaLMPassword and sambaNTPassword
>
> I might be completely off, but I need Samba to authenticate users against
> IPA, using password, and not krb as I have no control over the clients.
>
> FreeIPA is currently 4.1
>
> --
>
> Med venlig hilsen
>
> *Troels Hansen*
>
> Systemkonsulent
>
> Casalogic A/S
>
> T  (+45) 70 20 10 63
>
> M (+45) 22 43 71 57
> 
>  
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos
> og meget mere.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project




To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run
the ipa-adtrust-install --add-sids, even though I was not setting up a
trust. It would be nice if there was a way to generate these values another
way, maybe there is but I missed it.

--Joshua D Doll
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project