Interestingly enough, I have almost the same setup here.
I did an ipa-server install, then did ipa-adtrust-install. Afterward, I
went through and grabbed the configs with 'net conf list' and modified it
to use my shares. This one is just my testing, but the production one works
perfectly!
How did you import your users? I did mine my setting up an openldap and
importing an ldif with the proper DN values. Then ran ipa migrate-ds. In
some cases, certain data didn't migrate, so I added that with ldapmodify as
necessary.
Here's what my samba config looks like with 'net conf list'. It seems it's
pretty much the same as yours. Except for mine working, of course.
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
max log size = 10
disable spoolss = Yes
domain logons = Yes
domain master = Yes
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap suffix = dc=example,dc=com
ldap ssl = no
ldap user suffix = cn=users,cn=accounts
registry shares = Yes
create krb5 conf = No
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
[homes]
browseable = no
comment = Home Directories
read only = no
[share1]
browseable = yes
read only = no
path = /srv/samba/share1
comment = Temporary Public Share
valid users = @testgroup
Cheers,
herlo
On Tue, Oct 28, 2014 at 12:36 PM, Jason Smith jasonsm...@attask.com wrote:
A little history. We migrated from an OpenLDAP system to FreeIPA. The
IPA version is listed above. I have samba installed and integrated
directly on the FreeIPA box.
The problem we're having are users who were migrated can no longer can see
the samba shares. We are connecting to these shares through Mac OSX. When
accessing the share with smbclient -L mydom...@domain.com I get the
response *session setup failed: NT_STATUS_CONNECTION_DISCONNECTED. *This
is the response I get when connected to the FreeIPA/Samba box.
Users were able to access these shares, then overnight, they weren't. No
changes were made to the samba config or the FreeIPA. *Any new user
created through FreeIPA can see and browse any share they have access to.*
If there's any other information needed, please let me know. Thank you!!!
Below are a couple configs I have set:
*Samba global settings*
[global]
workgroup = ATTASK
netbios name = IPA01
realm = ATTASK.CORP
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
log file = /var/log/samba/log.%m
max log size = 10
disable spoolss = Yes
domain logons = Yes
domain master = Yes
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap suffix = dc=attask,dc=corp
ldap ssl = no
ldap user suffix = cn=users,cn=accounts
registry shares = Yes
create krb5 conf = No
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
*User Not Working:*
dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp
uid: test
sn: test
cn: test
mail: t...@test.com
nsaccountlock: False
has_password: True
has_keytab: True
dialupAccess: yes
displayName: test test
emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw==
gidNumber: 107001365
givenName: test
homeDirectory: /home/test
ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355
ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7
krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA=
krbLastFailedAuth: 20141028151647Z
krbLastPwdChange: 20141028152120Z
krbLastSuccessfulAuth: 20141028152012Z
krbLoginFailedCount: 0
krbPasswordExpiration: 20150122152120Z
krbPrincipalName: t...@attask.corp
krbTicketFlags: 128
loginShell: /sbin/nologin
memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp
memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp
memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: organizationalperson