subject:"\[Freeipa\-users\] FreeIPA and Samba4"

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-05 Thread Sumit Bose

On Thu, Nov 05, 2015 at 09:33:48AM +0100, Troels Hansen wrote:
> 
> - On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote:
> 
> > 
> > do you see any more details if you run pdbedit with '-d 255' ?
> > 
> 
> Not really:
> 
> pdbedit -d 255 -Lv th
> ...
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> lock order:  1:/var/lib/samba/private/secrets.tdb 2: 3:
> Locking key 534543524554532F5349442F434153414C4F4749432E4C414E
> Allocated locked data 0x0x7f8d46d0cb40
> Unlocking key 534543524554532F5349442F434153414C4F4749432E4C414E
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> lock order:  1: 2: 3:
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> lock order:  1:/var/lib/samba/private/secrets.tdb 2: 3:
> Locking key 534543524554532F5349442F434153414C4F474943
> Allocated locked data 0x0x7f8d46d0ccc0
> Unlocking key 534543524554532F5349442F434153414C4F474943
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> lock order:  1: 2: 3:
> check lock order 1 for /var/lib/samba/private/secrets.tdb
> lock order:  1:/var/lib/samba/private/secrets.tdb 2: 3:
> Locking key 534543524554532F5349442F4B454E4149
> Allocated locked data 0x0x7f8d46d0d1c0
> Unlocking key 534543524554532F5349442F4B454E4149
> release lock order 1 for /var/lib/samba/private/secrets.tdb
> lock order:  1: 2: 3:
> smbldap_search_ext: base => 
> [cn=CASALOGIC.LAN,cn=kerberos,dc=casalogic,dc=lan], filter => 
> [objectclass=krbrealmcontainer], scope => [0]
> smbldap_open: already connected to the LDAP server
> Attribute [krbDefaultEncSaltTypes] not found.
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain 
> casalogic.lan
> pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CASALOGIC-LAN.socket has a 
> valid init
> smbldap_search_ext: base => [dc=casalogic,dc=lan], filter => 
> [(&(objectClass=ipaNTUserAttrs)(uid=th))], scope => [2]
> smbldap_open: already connected to the LDAP server
> init_sam_from_ldap: Entry found for user: th
> pdb_set_username: setting username th, was 
> element 11 -> now SET
> pdb_set_domain: setting domain casalogic.lan, was 
> element 13 -> now DEFAULT
> pdb_set_nt_username: setting nt username th, was 
> element 14 -> now SET
> pdb_set_user_sid_from_string: setting user sid 
> S-1-5-21-3663793457-3789003531-2001508300-2004
> pdb_set_user_sid: setting user sid 
> S-1-5-21-3663793457-3789003531-2001508300-2004
> element 17 -> now SET
> Segmentation fault
> [root@kenai ~]#
> 
> 
> > 
> > Can you send me a full backtrace of the core or the whole core file with
> > the version of the samba.common package?
> > 
> 
> I have captured a coredump with abrt.
> Should I just send it directly to you? (20Mb uncompressed).

yes, please do.

bye,
Sumit

> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-05 Thread Troels Hansen

- On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote:

> 
> do you see any more details if you run pdbedit with '-d 255' ?
> 

Not really:

pdbedit -d 255 -Lv th
...
check lock order 1 for /var/lib/samba/private/secrets.tdb
lock order:  1:/var/lib/samba/private/secrets.tdb 2: 3:
Locking key 534543524554532F5349442F434153414C4F4749432E4C414E
Allocated locked data 0x0x7f8d46d0cb40
Unlocking key 534543524554532F5349442F434153414C4F4749432E4C414E
release lock order 1 for /var/lib/samba/private/secrets.tdb
lock order:  1: 2: 3:
check lock order 1 for /var/lib/samba/private/secrets.tdb
lock order:  1:/var/lib/samba/private/secrets.tdb 2: 3:
Locking key 534543524554532F5349442F434153414C4F474943
Allocated locked data 0x0x7f8d46d0ccc0
Unlocking key 534543524554532F5349442F434153414C4F474943
release lock order 1 for /var/lib/samba/private/secrets.tdb
lock order:  1: 2: 3:
check lock order 1 for /var/lib/samba/private/secrets.tdb
lock order:  1:/var/lib/samba/private/secrets.tdb 2: 3:
Locking key 534543524554532F5349442F4B454E4149
Allocated locked data 0x0x7f8d46d0d1c0
Unlocking key 534543524554532F5349442F4B454E4149
release lock order 1 for /var/lib/samba/private/secrets.tdb
lock order:  1: 2: 3:
smbldap_search_ext: base => [cn=CASALOGIC.LAN,cn=kerberos,dc=casalogic,dc=lan], 
filter => [objectclass=krbrealmcontainer], scope => [0]
smbldap_open: already connected to the LDAP server
Attribute [krbDefaultEncSaltTypes] not found.
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain 
casalogic.lan
pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-CASALOGIC-LAN.socket has a 
valid init
smbldap_search_ext: base => [dc=casalogic,dc=lan], filter => 
[(&(objectClass=ipaNTUserAttrs)(uid=th))], scope => [2]
smbldap_open: already connected to the LDAP server
init_sam_from_ldap: Entry found for user: th
pdb_set_username: setting username th, was 
element 11 -> now SET
pdb_set_domain: setting domain casalogic.lan, was 
element 13 -> now DEFAULT
pdb_set_nt_username: setting nt username th, was 
element 14 -> now SET
pdb_set_user_sid_from_string: setting user sid 
S-1-5-21-3663793457-3789003531-2001508300-2004
pdb_set_user_sid: setting user sid 
S-1-5-21-3663793457-3789003531-2001508300-2004
element 17 -> now SET
Segmentation fault
[root@kenai ~]#

> 
> Can you send me a full backtrace of the core or the whole core file with
> the version of the samba.common package?
> 

I have captured a coredump with abrt.
Should I just send it directly to you? (20Mb uncompressed).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-04 Thread Troels Hansen

OK, i have gotten my SID generation to run.
However, on the migrated users I'm unable to do a pdbedit -L
I get:

pdbedit -Lv th
doing parameter max log size = 50
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 
SO_RCVBUF=8192
doing parameter printing = cups
doing parameter printcap name = /etc/printcap
doing parameter load printers = no
pm_process() returned Yes
No builtin backend found, trying to load plugin
Module 'ipasam' loaded
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain 
casalogic.lan
init_sam_from_ldap: Entry found for user: th
Segmentation fault

on the users generated directly in IPA it works.

[root@tinkerbell ~]# pdbedit -Lv kk

I get the same error when calling pdbedit on IPA or differnet Samba server 
connected with ipasam.

Only difference I can see is that the users causing segfault have a RID from 
primary range, and the users working have from secondary range, so I suspect 
that something have gone wrong in my shifting round in the ranges and this 
somehow causes ipasam to segfault.

Could I just delete the ipaNTSecurityIdentifier directly in LDAP and let the 
SID generation run again, or do someone have a good idea to have the SID's 
reset?

- On Nov 3, 2015, at 8:06 PM, Troels Hansen t...@casalogic.dk wrote:

> Hi, I got a bit further.
> I fount the error, being that I had some groups from the old LDAP with gid 
> aroud
> 500, and current ID range i IPA sat to start at 2000, which was my start UID 
> on
> the old LDAP.
> 
> Is it possible to "reset" the base UID/GID that IPA assigns to the next user? 
> I
> can't find it saved in the LDAP anywhere?
> 
> - On Nov 3, 2015, at 1:36 PM, Sumit Bose sb...@redhat.com wrote:
> 
>> On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote:
>>> Hi again, so I finally got time to look further into this.
>>> 
>>> This task works:
>>> 
>>> dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config
>>> add:objectclass:top,extensibleObject
>>> add:cn:$TIME-$FQDN-$LIBARCH
>>> add:nsslapd-basedn:"$SUFFIX"
>>> add:delay:0
>>> add:ttl:3600
>>> 
>>> However, the task gets generated, but no output can be pulled from the task:
>>> 
>>> ldapsearch -D "cn=Directory Manager" -W -b
>>> 'cn=1446551851-kenai.casalogic.lan-64,cn=ipa-sidgen-task,cn=tasks,cn=config'
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base
>>>

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-04 Thread Sumit Bose

On Tue, Nov 03, 2015 at 08:06:49PM +0100, Troels Hansen wrote:
> Hi, I got a bit further.
> I fount the error, being that I had some groups from the old LDAP with gid 
> aroud 500, and current ID range i IPA sat to start at 2000, which was my 
> start UID on the old LDAP.

The SIDs are generated based on the UID or GID and the data from a
matching idrange, see http://www.freeipa.org/page/V3/ID_Ranges for
details about the idranges.

To get SIDs assigned to the old entries you have to add a new idrange
for the local user:

ipa idrange-add type=ipa-local --base-id=500 --range-size=100 
--rid-base=100 --secondary-rid-base=1000200

With this the UIDs and GIDs between 500 and 600 will get SIDs with RIDs
in the range from 100 to 1000100 (see kine above why there is a
secondard RID base).

> 
> Is it possible to "reset" the base UID/GID that IPA assigns to the next user? 
> I can't find it saved in the LDAP anywhere?

New IDs are assigned by the DNS plugin, please see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Managing-Unique_UID_and_GID_Attributes.html
and
http://directory.fedoraproject.org/docs/389ds/design/dna-plugin.html for
details.

Please note that although they are somewhat related there currently is
no automatic configuration of the ranges used by the DNA plugin and the
ranges managed by the 'ipa idrange-*' utility. There is ticket
https://fedorahosted.org/freeipa/ticket/3609 to fix this.

HTH

bye,
Sumit
> 
> - On Nov 3, 2015, at 1:36 PM, Sumit Bose sb...@redhat.com wrote:
> 
> > On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote:
> >> Hi again, so I finally got time to look further into this.
> >> 
> >> This task works:
> >> 
> >> dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config
> >> add:objectclass:top,extensibleObject
> >> add:cn:$TIME-$FQDN-$LIBARCH
> >> add:nsslapd-basedn:"$SUFFIX"
> >> add:delay:0
> >> add:ttl:3600
> >> 
> >> However, the task gets generated, but no output can be pulled from the 
> >> task:
> >> 
> >> ldapsearch -D "cn=Directory Manager" -W -b
> >> 'cn=1446551851-kenai.casalogic.lan-64,cn=ipa-sidgen-task,cn=tasks,cn=config'
> >> Enter LDAP Password:
> >> # extended LDIF
> >> #
> >> # LDAPv3
> >> # base
> >>

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-03 Thread Troels Hansen

Hi, I got a bit further.
I fount the error, being that I had some groups from the old LDAP with gid 
aroud 500, and current ID range i IPA sat to start at 2000, which was my start 
UID on the old LDAP.

Is it possible to "reset" the base UID/GID that IPA assigns to the next user? I 
can't find it saved in the LDAP anywhere?

- On Nov 3, 2015, at 1:36 PM, Sumit Bose sb...@redhat.com wrote:

> On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote:
>> Hi again, so I finally got time to look further into this.
>> 
>> This task works:
>> 
>> dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config
>> add:objectclass:top,extensibleObject
>> add:cn:$TIME-$FQDN-$LIBARCH
>> add:nsslapd-basedn:"$SUFFIX"
>> add:delay:0
>> add:ttl:3600
>> 
>> However, the task gets generated, but no output can be pulled from the task:
>> 
>> ldapsearch -D "cn=Directory Manager" -W -b
>> 'cn=1446551851-kenai.casalogic.lan-64,cn=ipa-sidgen-task,cn=tasks,cn=config'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base
>>

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Alexander Bokovoy


On Fri, 30 Oct 2015, Troels Hansen wrote:

Hi Alexander, sorry for the last update directly to you, this was not intended.

Anyway, shouldn't I be able to check the status of task added by 
ipa-adtrust-install directly by just issuing a:

ldapsearch -D "cn=Directory Manager" -W -b 
'cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config'

All I get is:

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Sumit Bose

On Fri, Oct 30, 2015 at 10:53:47AM +0100, Troels Hansen wrote:
> Well, I think the problem here being that I miss the attributes. 
> One "funny" thing being that apprently, some users have had ipantuserattrs 
> objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including 
> mine). 
> Tried adding a new user, just to test, and this gets created with a 
> ipaNTSecurityIdentifier, however, my old users still don't. 
> I guess I jute need a way to have IPA add ipantuserattrs and 
> ipaNTSecurityIdentifier to my existing users. 
> 
> when running ipa-adtrust-install it finds 85 users without SID, and I install 
> the SID plugin (which is just 2 LDIF's), but this still doesn't do anything. 

Did you run ipa-adtrust-install with the '--add-sids' option?

About ipaNTHash, this is not created by ipa-adtrust-install or any other
tool. For the integrated smbd the NT hash is derived from a suitable
Kerberos key by adding a magic keyword to the ipaNTHash attribute.

You can try to do this manually with the following steps:

 - The principal used by the internal smdb has the right permissions to
   add the attribute:
  
   kinit -k -t /etc/samba/samba.keytab cifs/ipa.server@IPA.DOMAIN

 - write the magic keyword MagicRegen into the ipaNTHash attribute of
   the user

   ldapmodify -Y GSSAPI -H ldap://ipa-devel.ipa.devel << END
   dn: uid=ipa_user,cn=users,cn=accounts,dc=ipa,dc=domain
   changetype: modify
   add: ipaNTHash
   ipaNTHash: MagicRegen
   END

If a suitable Kerberos key was available the user object now has the
ipaNTHash attribute set with the right NT hash value.

HTH

bye,
Sumit

> 
> - On Oct 29, 2015, at 8:16 PM, Joshua Doll  wrote: 
> 
> > Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
> > --add-sids. I did notice when I was setting this up recently that I had to 
> > run
> > the adtrust-install command whenever I added new users or groups. I don't 
> > know
> > if it was just me being impatient or a limitation. Another thing I noticed 
> > that
> > is different between our two setups is I couldn't get this setup to work on 
> > a
> > separate host, I am running samba on the same host as my ipa service.
> 
> > --Joshua D Doll
> 
> > On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < t...@casalogic.dk > wrote:
> 
> >> Same result...
> 
> >> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
> >> ipaNTHash
> >> Enter LDAP Password:
> >> # extended LDIF
> >> #
> >> # LDAPv3
> >> # base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen

Hi Alexander, sorry for the last update directly to you, this was not intended.

Anyway, shouldn't I be able to check the status of task added by 
ipa-adtrust-install directly by just issuing a:

ldapsearch -D "cn=Directory Manager" -W -b 
'cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config'

All I get is:

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Alexander Bokovoy


Please answer to the list.

On Fri, 30 Oct 2015, Troels Hansen wrote:

Not sure what you expect.

Modifying attributes for existing users takes time so we don't do it
automatically. When you run ipa-adtrust-install, it does ask you to run
a task that does the work of generating SIDs and adding needed
attributes/object classes.

However, ipaNTHash will not be there until either of two events happens:
- user changes password;
- user authenticates with Kerberos against Samba running on IPA master.


No, I'm aware that the NTHash won't be there untill the user changes password.
I would however suppose that objectClass ipaNTUserAttrs being added and a 
ipaNTSecurityIdentifier being added to all of my users.
Its added to most objects, but I still need 85 users/objects where its not 
added, out of a total of ~500 (told by adtrust install script yesterday).
Its been 14 hours since I ran it, but still need the remaining, and I have no 
idear why its not added.

You can check the task status.

See https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ 
how you can organize a task yourself or check the output from existing task.

The task that is run by the installer has DN 
cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config
You can use /usr/share/ipa/ipa-sidgen-task-run.ldif as a basis to add a
task file.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen




> I think it should be
> add:nsslapd-basedn: cn=accounts,$SUFFIX
> not
> add:basedn:"cn=accounts,$SUFFIX"
> 
> this is what sidgen task expects and it returns constraint violation
> error if parameters are wrong:
> 
>str = fetch_attr(e, "nsslapd-basedn", NULL);
>if (str == NULL) {
>LOG_FATAL("Missing nsslapd-basedn!\n");
>*returncode = LDAP_CONSTRAINT_VIOLATION;
>ret = SLAPI_DSE_CALLBACK_ERROR;
>goto done;
>}
> 

I think you are right.
Don't know what I have tested, but it brings me a different error, that I 
didn't see before:

ipa.ipapython.ipaldap.IPAdmin: DEBUG: Unhandled LDAPError: OPERATIONS_ERROR: 
{'desc': 'Operations error'}
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR: Add failure Operations 
error: 
ipa.ipaserver.install.ipa_ldap_updater.LDAPUpdater_NonUpgrade: INFO: The 
ipa-ldap-updater command was successful

Where did you find the source for the sidgen task? I could try  looking at at 
it myself, but can't find it.

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Alexander Bokovoy


On Fri, 30 Oct 2015, Troels Hansen wrote:



This means the task has finished already.

You can run a new one to see if it reports something detailed about the
DNs it couldn't process.




Hmm, this is weird:

I have created a task:
10-task-sidgen-run.update

containing:

dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config
add:objectclass:top,extensibleObject
add:cn:$TIME-$FQDN-$LIBARCH
add:basedn:"cn=accounts,$SUFFIX"
add:ttl:3600
add:delay:0
I think it should be 
add:nsslapd-basedn: cn=accounts,$SUFFIX
not 
add:basedn:"cn=accounts,$SUFFIX"


this is what sidgen task expects and it returns constraint violation
error if parameters are wrong:

   str = fetch_attr(e, "nsslapd-basedn", NULL);
   if (str == NULL) {
   LOG_FATAL("Missing nsslapd-basedn!\n");
   *returncode = LDAP_CONSTRAINT_VIOLATION;
   ret = SLAPI_DSE_CALLBACK_ERROR;
   goto done;
   }


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen


> This means the task has finished already.
> 
> You can run a new one to see if it reports something detailed about the
> DNs it couldn't process.
> 


Hmm, this is weird:

I have created a task:
10-task-sidgen-run.update

containing:

dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config
add:objectclass:top,extensibleObject
add:cn:$TIME-$FQDN-$LIBARCH
add:basedn:"cn=accounts,$SUFFIX"
add:ttl:3600
add:delay:0

However, when I add it with debug enabled I get:

ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: Final value after applying 
updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: dn: 
cn=1446208552-kenai.casalogic.lan-64,cn=ipa-sidgen-task,cn=tasks,cn=config
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: cn:
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: 
1446208552-kenai.casalogic.lan-64
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: objectclass:
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: top
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: extensibleObject
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: basedn:
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: 
cn=accounts,dc=casalogic,dc=lan
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: delay:
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: 0
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: ttl:
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: 3600
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: scope:
ipa.ipaserver.install.ldapupdate.LDAPUpdate: DEBUG: sub
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR: Add failure Constraint 
violation: 
ipa.ipaserver.install.ipa_ldap_updater.LDAPUpdater_NonUpgrade: INFO: The 
ipa-ldap-updater command was successful


but I can't why I should get a constraint violation? Am I missing something?

tried with a filter, without ttl, delay etc. nsslapd-basedn instead of basedn, 
but no luck. Am I missing something?

As a test, I tried creating the tesk from your example, and this runs fine.

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Alexander Bokovoy


On Fri, 30 Oct 2015, Troels Hansen wrote:





I think it should be
add:nsslapd-basedn: cn=accounts,$SUFFIX
not
add:basedn:"cn=accounts,$SUFFIX"

this is what sidgen task expects and it returns constraint violation
error if parameters are wrong:

   str = fetch_attr(e, "nsslapd-basedn", NULL);
   if (str == NULL) {
   LOG_FATAL("Missing nsslapd-basedn!\n");
   *returncode = LDAP_CONSTRAINT_VIOLATION;
   ret = SLAPI_DSE_CALLBACK_ERROR;
   goto done;
   }



I think you are right.
Don't know what I have tested, but it brings me a different error, that I 
didn't see before:

ipa.ipapython.ipaldap.IPAdmin: DEBUG: Unhandled LDAPError: OPERATIONS_ERROR: 
{'desc': 'Operations error'}
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR: Add failure Operations 
error:
ipa.ipaserver.install.ipa_ldap_updater.LDAPUpdater_NonUpgrade: INFO: The 
ipa-ldap-updater command was successful

Where did you find the source for the sidgen task? I could try  looking at at 
it myself, but can't find it.

You can check it here:
https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c#n221

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen

Well, I think the problem here being that I miss the attributes. 
One "funny" thing being that apprently, some users have had ipantuserattrs 
objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including 
mine). 
Tried adding a new user, just to test, and this gets created with a 
ipaNTSecurityIdentifier, however, my old users still don't. 
I guess I jute need a way to have IPA add ipantuserattrs and 
ipaNTSecurityIdentifier to my existing users. 

when running ipa-adtrust-install it finds 85 users without SID, and I install 
the SID plugin (which is just 2 LDIF's), but this still doesn't do anything. 

- On Oct 29, 2015, at 8:16 PM, Joshua Doll  wrote: 

> Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
> --add-sids. I did notice when I was setting this up recently that I had to run
> the adtrust-install command whenever I added new users or groups. I don't know
> if it was just me being impatient or a limitation. Another thing I noticed 
> that
> is different between our two setups is I couldn't get this setup to work on a
> separate host, I am running samba on the same host as my ipa service.

> --Joshua D Doll

> On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < t...@casalogic.dk > wrote:

>> Same result...

>> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
>> ipaNTHash
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Troels Hansen

Hmm, weird. 
I ran ipa-adtrust-install and it says it said it had user without SID's, and I 
told it to generete SID's. 
However, I still can't see them on the user. 
a IPA-db doesn't reveal them being generated and I can't look them up via LDAP. 

ldapsearch -Y GSSAPI uid=th ipaNTHash 
... 
# th, users, compat, casalogic.lan 
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan 

# th, users, accounts, casalogic.lan 
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan 

. 

Samba however starts fine now, but unable to find any users: 
pdbedit -Lv 
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain 
casalogic.lan 

- On Oct 27, 2015, at 3:46 PM, Joshua Doll  wrote: 

> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
> ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
> would be nice if there was a way to generate these values another way, maybe
> there is but I missed it.

> --Joshua D Doll

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Joshua Doll

Are you using the correct principal for the ldapsearch? Did you grant it
permissions to view those attributes?
--Joshua D Doll
On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen  wrote:

> Hmm, weird.
> I ran ipa-adtrust-install and it says it said it had user without SID's,
> and I told it to generete SID's.
> However, I still can't see them on the user.
> a IPA-db doesn't reveal them being generated and I can't look them up via
> LDAP.
>
> ldapsearch -Y GSSAPI uid=th ipaNTHash
> ...
> # th, users, compat, casalogic.lan
> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>
> # th, users, accounts, casalogic.lan
> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>
> .
>
> Samba however starts fine now, but unable to find any users:
> pdbedit -Lv
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
> casalogic.lan
>
>
>
> - On Oct 27, 2015, at 3:46 PM, Joshua Doll 
> wrote:
>
>
>
> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run
> the ipa-adtrust-install --add-sids, even though I was not setting up a
> trust. It would be nice if there was a way to generate these values another
> way, maybe there is but I missed it.
>
> --Joshua D Doll
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Joshua Doll

What about as directory manager?

--Joshua D Doll

On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen  wrote:

> I should think so:
>
> On IPA server.
>
> ipa role-show 'CIFS server'
>   Role name: CIFS server
>   Privileges: CIFS server privilege
>   Member services: cifs/tinkerbell.casalogic@casalogic.lan
>
> ipa privilege-show 'CIFS server privilege'
>   Privilege name: CIFS server privilege
>   Permissions: CIFS test, CIFS server can read user passwords
>   Granting privilege to roles: CIFS server
>
> ipa permission-show 'CIFS server can read user passwords'
>   Permission name: CIFS server can read user passwords
>   Granted rights: read, search, compare
>   Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>   Bind rule type: permission
>   Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>   Type: user
>   Granted to Privilege: CIFS server privilege
>   Indirect Member of roles: CIFS server
>
> ipa-getkeytab -s kenai.casalogic.lan -p
> cifs/tinkerbell.casalogic@casalogic.lan -k /tmp/samba.keytab
>
> samba.keytab copied to samba server.
>
> on samba server (tinkerbell):
> kdestroy -A
> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
>
> SASL/GSSAPI authentication started
> SASL username: cifs/tinkerbell.casalogic@casalogic.lan
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Troels Hansen

Same result... 

ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th 
ipaNTHash 
Enter LDAP Password: 
# extended LDIF 
# 
# LDAPv3 
# base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Troels Hansen

I should think so: 

On IPA server. 

ipa role-show 'CIFS server' 
Role name: CIFS server 
Privileges: CIFS server privilege 
Member services: cifs/tinkerbell.casalogic@casalogic.lan 

ipa privilege-show 'CIFS server privilege' 
Privilege name: CIFS server privilege 
Permissions: CIFS test, CIFS server can read user passwords 
Granting privilege to roles: CIFS server 

ipa permission-show 'CIFS server can read user passwords' 
Permission name: CIFS server can read user passwords 
Granted rights: read, search, compare 
Effective attributes: ipaNTHash, ipaNTSecurityIdentifier 
Bind rule type: permission 
Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan 
Type: user 
Granted to Privilege: CIFS server privilege 
Indirect Member of roles: CIFS server 

ipa-getkeytab -s kenai.casalogic.lan -p 
cifs/tinkerbell.casalogic@casalogic.lan -k /tmp/samba.keytab 

samba.keytab copied to samba server. 

on samba server (tinkerbell): 
kdestroy -A 
kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan 
ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash 

SASL/GSSAPI authentication started 
SASL username: cifs/tinkerbell.casalogic@casalogic.lan 
SASL SSF: 56 
SASL data security layer installed. 
# extended LDIF 
# 
# LDAPv3 
# base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Joshua Doll

Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
--add-sids. I did notice when I was setting this up recently that I had to
run the adtrust-install command whenever I added new users or groups. I
don't know if it was just me being impatient or a limitation. Another thing
I noticed that is different between our two setups is I couldn't get this
setup to work on a separate host, I am running samba on the same host as my
ipa service.

--Joshua D Doll

On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen  wrote:

> Same result...
>
> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
> ipaNTHash
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-27 Thread Joshua Doll

On Tue, Oct 27, 2015 at 10:03 AM Troels Hansen  wrote:

> This might be related to the old thread
> https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html
> but on the other side not quite, and can't see that it have been been
> solved.
>
> I have been spending quite some time on this, but haven't been able to
> solve it yet.
>
> My problem is:
>
> I have a complete new infrastructure based om RedHat7 and CentOS7 servers.
> No Windows and defenently no AD, however we use Samba for sharing files to
> some clients.
>
> Clients is mostly Ubuntu based laptops, completely individually manages.
> No central user admin or anything.
> Users manage their own PC 100%.
>
> We have two IPA servers set up, and all Linux servers authenticate against
> IPA and all that works flawless.
>
> We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4,
> using the ipa migrate script and this also worked fine.
>
> Now comes the tricky part that I haven't been able to solve.
>
> I can't seem to set Samba to play with IPA.
>
> I have been trying to use plain old ldapsam backend, but never managed to
> get it to work.
> Seems Samba can't authenticate users.
>
> Tried ipasam backend, using kerberos, following the instructions from the
> old thread:
> https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html
> Samba fails to start up, with a:
> 2015/10/27 14:13:42.127557,  0] ipa_sam.c:4478(pdb_init_ipasam)
>   pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
> domain. We cannot work reliably without it.
> [2015/10/27 14:13:42.127785,  0]
> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name)
>   pdb backend ipasam:"ldaps://kenai.casalogic.lan
> ldaps://koda.casalogic.lan" did not correctly init (error was
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>
> If I look at tje users directly in LDAP, I can see they don't have a
> ipaNTHash or ipaNTSecurityIdentifier attribute, however have preserved
> their old LDAP-ish sambaLMPassword and sambaNTPassword
>
> I might be completely off, but I need Samba to authenticate users against
> IPA, using password, and not krb as I have no control over the clients.
>
> FreeIPA is currently 4.1
>
> --
>
> Med venlig hilsen
>
> *Troels Hansen*
>
> Systemkonsulent
>
> Casalogic A/S
>
> T  (+45) 70 20 10 63
>
> M (+45) 22 43 71 57
> 
>  
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos
> og meget mere.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project




To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run
the ipa-adtrust-install --add-sids, even though I was not setting up a
trust. It would be nice if there was a way to generate these values another
way, maybe there is but I missed it.

--Joshua D Doll
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA and Samba4

2015-10-27 Thread Troels Hansen

This might be related to the old thread 
https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html but on 
the other side not quite, and can't see that it have been been solved. 

I have been spending quite some time on this, but haven't been able to solve it 
yet. 

My problem is: 

I have a complete new infrastructure based om RedHat7 and CentOS7 servers. 
No Windows and defenently no AD, however we use Samba for sharing files to some 
clients. 

Clients is mostly Ubuntu based laptops, completely individually manages. No 
central user admin or anything. 
Users manage their own PC 100%. 

We have two IPA servers set up, and all Linux servers authenticate against IPA 
and all that works flawless. 

We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4, using the 
ipa migrate script and this also worked fine. 

Now comes the tricky part that I haven't been able to solve. 

I can't seem to set Samba to play with IPA. 

I have been trying to use plain old ldapsam backend, but never managed to get 
it to work. 
Seems Samba can't authenticate users. 

Tried ipasam backend, using kerberos, following the instructions from the old 
thread: 
https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html 
Samba fails to start up, with a: 
2015/10/27 14:13:42.127557, 0] ipa_sam.c:4478(pdb_init_ipasam) 
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the 
domain. We cannot work reliably without it. 
[2015/10/27 14:13:42.127785, 0] 
../source3/passdb/pdb_interface.c:178(make_pdb_method_name) 
pdb backend ipasam:"ldaps://kenai.casalogic.lan ldaps://koda.casalogic.lan" did 
not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) 

If I look at tje users directly in LDAP, I can see they don't have a ipaNTHash 
or ipaNTSecurityIdentifier attribute, however have preserved their old LDAP-ish 
sambaLMPassword and sambaNTPassword 

I might be completely off, but I need Samba to authenticate users against IPA, 
using password, and not krb as I have no control over the clients. 

FreeIPA is currently 4.1 

-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-16 Thread Christovam Paynes Silva

2013/9/12 Dmitri Pal d...@redhat.com

On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote:

2013/9/11 Dmitri Pal d...@redhat.com

On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote:

It is a pity!
Thank you!

I did not get a feeling that we understand the whole picture correctly
to say that we provided the full answer..

What I get from the description:
1) Presence of Windows Clients = 100

Correct!

2) Presence of AD to rule them

Correct!

3) Presence of users (I deduce in AD too, but unclear) = 1000

Correct! Users are wirelessly. Use windows and linux without domain.

Intent: use open source technologies instead of proprietary solution.

That's right!

What is not clear:
a) Are the users that come through the portal the same users that use
Windows Clients or not? Is there an overlap?

Users are via wireless. Authenticate users on a captive portal with
Squid. Customers are windows, linux and without domain.

b) Is there any kind of Linux servers/machines in the picture?

This question was not clear to me.

FreeIPA is a domain controller for Linux/UNIX systems. It main value it to
manage Linux environment inside your enterprise. It can manage users and
groups too as any directory can. It can also authenticate users but its
value is in creating a integrated Linux environment in terms of identity
management. It seems that the setup you have does not actually have such
Linux environment, i.e. Linux machines to join to IPA domain and manage.
The question was: Do you have Linux systems to manage?.

I have 5 servers. But that's just me working on them.
I believe we do not need the IPA.
I appreciate the attention.
Thank you.

If you do not have Linux systems and all users can be stored in one place
it might be that you do not need FreeIPA. It might be that you can solve
the problem by using Samba4 instead of AD, connecting your clients to it,
putting your external portal users into a special OU in Samba4, configuring
FreeRADIUS to use this OU for authentication. Configure your portal to use
RADIUS.

Sorry, I may not have understood the concept of FreeIPA.

I would like to continue using the AD, because of Group Policy Objects
(GPO).

You need to check whether Samba 4 supports GPO and to what extent.

http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F

It has the ability to authenticate email services, applications, among
others directly in Samba4?

Yes as with any LDAP server but if you are planning to use AD than you do
not need Samba 4 either.
You then point your mail service and applications to AD directly.
Most of modern applications have some sort of LDAP integration for
identity lookup and authentication. That means you would be able to point
them to prety much any directory: AD, Samba4, IPA, 389 ...

HTH

Thanks
Dmitri

2013/9/11 Simo Sorce s...@redhat.com

On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote:
Hello Simo, thanks for the feedback.
I would use the Samba4 with AD and authenticate my clients windows in
FreeIPA.
Is this possible?

It is not possible at this point to combine Samba4 AD and freeIPA.

Simo.

2013/9/11 Simo Sorce s...@redhat.com
On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
wrote:
Hello!

First I apologize if this topic is redundant.

I'm looking on the implementation of FreeIPA . Looking for
the
forums , have some comments that authentication does not
work with
Samba4 . Elsewhere say that that possibility exists . Today
we have
nearly 200 computers in the domain with the Active
Directory and one
wireless captive portal with 1000 + proxy users .

I would like to see if the following scenario is possible :
1 - Integrating Samba4 with Active Directory , to use
their GPO and
authenticate network users through the FreeIPA .
2 - Authenticate proxy servers in FreeIPA .
3 - And if it is possible some integration with FreeRADIUS

Hi Christovam, it is a bit unclear what you mean by
integrating here.

Is your intent to use Samba4 as an AD domain controller for
your Windows
client s and IPA for your servers ?

If that's the case unfortunately this is not possible at the
moment as
samba4 does not yet support Forest level trusts.
A Microsoft AD server can be used this way instead.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-12 Thread Dmitri Pal

On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote:

2013/9/11 Dmitri Pal d...@redhat.com mailto:d...@redhat.com

On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote:
It is a pity!
Thank you!

I did not get a feeling that we understand the whole picture
correctly to say that we provided the full answer..

What I get from the description:
1) Presence of Windows Clients = 100

Correct!

2) Presence of AD to rule them

Correct!

3) Presence of users (I deduce in AD too, but unclear) = 1000

Correct! Users are wirelessly. Use windows and linux without domain.

Intent: use open source technologies instead of proprietary solution.

That's right!

What is not clear:
a) Are the users that come through the portal the same users that
use Windows Clients or not? Is there an overlap?

Users are via wireless. Authenticate users on a captive portal with
Squid. Customers are windows, linux and without domain.

b) Is there any kind of Linux servers/machines in the picture?

This question was not clear to me.

FreeIPA is a domain controller for Linux/UNIX systems. It main value it
to manage Linux environment inside your enterprise. It can manage users
and groups too as any directory can. It can also authenticate users but
its value is in creating a integrated Linux environment in terms of
identity management. It seems that the setup you have does not actually
have such Linux environment, i.e. Linux machines to join to IPA domain
and manage.
The question was: Do you have Linux systems to manage?.

If you do not have Linux systems and all users can be stored in
one place it might be that you do not need FreeIPA. It might be
that you can solve the problem by using Samba4 instead of AD,
connecting your clients to it, putting your external portal users
into a special OU in Samba4, configuring FreeRADIUS to use this OU
for authentication. Configure your portal to use RADIUS.

Sorry, I may not have understood the concept of FreeIPA.

I would like to continue using the AD, because of Group Policy Objects
(GPO).

You need to check whether Samba 4 supports GPO and to what extent.
http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F

It has the ability to authenticate email services, applications, among
others directly in Samba4?

Yes as with any LDAP server but if you are planning to use AD than you
do not need Samba 4 either.
You then point your mail service and applications to AD directly.
Most of modern applications have some sort of LDAP integration for
identity lookup and authentication. That means you would be able to
point them to prety much any directory: AD, Samba4, IPA, 389 ...

HTH

Thanks
Dmitri

2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com

On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote:
Hello Simo, thanks for the feedback.
I would use the Samba4 with AD and authenticate my clients
windows in
FreeIPA.
Is this possible?

It is not possible at this point to combine Samba4 AD and
freeIPA.

Simo.

2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com
On Wed, 2013-09-11 at 14:06 -0300, Christovam
Paynes Silva
wrote:
Hello!

First I apologize if this topic is redundant.

I'm looking on the implementation of FreeIPA .
Looking for
the
forums , have some comments that authentication
does not
work with
Samba4 . Elsewhere say that that possibility
exists . Today
we have
nearly 200 computers in the domain with the Active
Directory and one
wireless captive portal with 1000 + proxy users .

I would like to see if the following scenario is
possible :
1 - Integrating Samba4 with Active Directory ,
to use
their GPO and
authenticate network users through the FreeIPA .
2 - Authenticate proxy servers in FreeIPA .
3 - And if it is possible some integration with
FreeRADIUS

Hi Christovam, it is a bit unclear what you mean by
integrating here.

Is your intent to use Samba4 as an AD domain
controller for
your Windows
client s and IPA for your servers ?

If that's the case

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-12 Thread Christovam Paynes Silva

2013/9/11 Dmitri Pal d...@redhat.com

  On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote:

  It is a pity!
 Thank you!




 I did not get a feeling that we understand the whole picture correctly to
 say that we provided the full answer..

 What I get from the description:
 1) Presence of Windows Clients = 100


Correct!


  2) Presence of AD to rule them


Correct!

 3) Presence of users (I deduce in AD too, but unclear) = 1000


Correct! Users are wirelessly. Use windows and linux without domain.


  Intent: use open source technologies instead of proprietary solution.


That's right!



 What is not clear:
 a) Are the users that come through the portal the same users that use
 Windows Clients or not? Is there an overlap?


Users are via wireless. Authenticate users on a captive portal with
Squid. Customers are windows, linux and without domain.


 b) Is there any kind of Linux servers/machines in the picture?


This question was not clear to me.



 If you do not have Linux systems and all users can be stored in one place
 it might be that you do not need FreeIPA. It might be that you can solve
 the problem by using Samba4 instead of AD, connecting your clients to it,
 putting your external portal users into a special OU in Samba4, configuring
 FreeRADIUS to use this OU for authentication. Configure your portal to use
 RADIUS.



Sorry, I may not have understood the concept of FreeIPA.

I would like to continue using the AD, because of Group Policy Objects
(GPO).
It has the ability to authenticate email services, applications, among
others directly in Samba4?





 HTH

 Thanks
 Dmitri





 2013/9/11 Simo Sorce s...@redhat.com

 On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote:
  Hello Simo, thanks for the feedback.
  I would use the Samba4 with AD and authenticate my clients windows in
  FreeIPA.
  Is this possible?

  It is not possible at this point to combine Samba4 AD and freeIPA.

 Simo.
  
  2013/9/11 Simo Sorce s...@redhat.com
  On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
  wrote:
   Hello!
  
  
   First I apologize if this topic is redundant.
  
  
   I'm looking on the implementation of FreeIPA . Looking for
  the
   forums , have some comments that authentication does not
  work with
   Samba4 . Elsewhere say that that possibility exists . Today
  we have
   nearly 200 computers in the domain with the Active
  Directory and one
   wireless captive portal with 1000 + proxy users .
  
   I would like to see if the following scenario is possible :
   1 - Integrating Samba4 with Active Directory , to use
  their GPO and
   authenticate network users through the FreeIPA .
   2 - Authenticate proxy servers in FreeIPA .
   3 - And if it is possible some integration with FreeRADIUS
  
 
 
  Hi Christovam, it is a bit unclear what you mean by
  integrating here.
 
  Is your intent to use Samba4 as an AD domain controller for
  your Windows
  client s and IPA for your servers ?
 
  If that's the case unfortunately this is not possible at the
  moment as
  samba4 does not yet support Forest level trusts.
  A Microsoft AD server can be used this way instead.
 
  Simo.
 
  --
  Simo Sorce * Red Hat, Inc * New York
 
 
 


 --
 Simo Sorce * Red Hat, Inc * New York




 ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.


 ---
 Looking to carve out IT costs?www.redhat.com/carveoutcosts/


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Christovam Paynes Silva

Hello!

First I apologize if this topic is redundant.

I'm looking on the implementation of FreeIPA . Looking for the forums ,
have some comments that authentication does not work with Samba4 .
Elsewhere say that that possibility exists . Today we have nearly 200
computers in the domain with the Active Directory and one wireless
captive portal with 1000 + proxy users .
I would like to see if the following scenario is possible :
1 - Integrating Samba4 with Active Directory , to use their GPO and
authenticate network users through the FreeIPA .
2 - Authenticate proxy servers in FreeIPA .
3 - And if it is possible some integration with FreeRADIUS

Thank you!
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Simo Sorce

On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote:
 Hello!
 
 
 First I apologize if this topic is redundant.
 
 
 I'm looking on the implementation of FreeIPA . Looking for the
 forums , have some comments that authentication does not work with
 Samba4 . Elsewhere say that that possibility exists . Today we have
 nearly 200 computers in the domain with the Active Directory and one
 wireless captive portal with 1000 + proxy users .
 
 I would like to see if the following scenario is possible :
 1 - Integrating Samba4 with Active Directory , to use their GPO and
 authenticate network users through the FreeIPA .
 2 - Authenticate proxy servers in FreeIPA .
 3 - And if it is possible some integration with FreeRADIUS
 

Hi Christovam, it is a bit unclear what you mean by integrating here.

Is your intent to use Samba4 as an AD domain controller for your Windows
client s and IPA for your servers ?

If that's the case unfortunately this is not possible at the moment as
samba4 does not yet support Forest level trusts.
A Microsoft AD server can be used this way instead.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Dmitri Pal

On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote:
 It is a pity!
 Thank you!



I did not get a feeling that we understand the whole picture correctly
to say that we provided the full answer..

What I get from the description:
1) Presence of Windows Clients = 100
2) Presence of AD to rule them
3) Presence of users (I deduce in AD too, but unclear) = 1000

Intent: use open source technologies instead of proprietary solution.

What is not clear:
a) Are the users that come through the portal the same users that use
Windows Clients or not? Is there an overlap?
b) Is there any kind of Linux servers/machines in the picture?

If you do not have Linux systems and all users can be stored in one
place it might be that you do not need FreeIPA. It might be that you can
solve the problem by using Samba4 instead of AD, connecting your clients
to it, putting your external portal users into a special OU in Samba4,
configuring FreeRADIUS to use this OU for authentication. Configure your
portal to use RADIUS.

HTH

Thanks
Dmitri





 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com

 On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote:
  Hello Simo, thanks for the feedback.
  I would use the Samba4 with AD and authenticate my clients
 windows in
  FreeIPA.
  Is this possible?

 It is not possible at this point to combine Samba4 AD and freeIPA.

 Simo.
 
  2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com
  On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
  wrote:
   Hello!
  
  
   First I apologize if this topic is redundant.
  
  
   I'm looking on the implementation of FreeIPA . Looking for
  the
   forums , have some comments that authentication does not
  work with
   Samba4 . Elsewhere say that that possibility exists .
 Today
  we have
   nearly 200 computers in the domain with the Active
  Directory and one
   wireless captive portal with 1000 + proxy users .
  
   I would like to see if the following scenario is
 possible :
   1 - Integrating Samba4 with Active Directory , to use
  their GPO and
   authenticate network users through the FreeIPA .
   2 - Authenticate proxy servers in FreeIPA .
   3 - And if it is possible some integration with FreeRADIUS
  
 
 
  Hi Christovam, it is a bit unclear what you mean by
  integrating here.
 
  Is your intent to use Samba4 as an AD domain controller for
  your Windows
  client s and IPA for your servers ?
 
  If that's the case unfortunately this is not possible at the
  moment as
  samba4 does not yet support Forest level trusts.
  A Microsoft AD server can be used this way instead.
 
  Simo.
 
  --
  Simo Sorce * Red Hat, Inc * New York
 
 
 


 --
 Simo Sorce * Red Hat, Inc * New York




 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Simo Sorce

On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote:
 Hello Simo, thanks for the feedback.
 I would use the Samba4 with AD and authenticate my clients windows in
 FreeIPA.
 Is this possible?

It is not possible at this point to combine Samba4 AD and freeIPA.

Simo.
 
 2013/9/11 Simo Sorce s...@redhat.com
 On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
 wrote:
  Hello!
 
 
  First I apologize if this topic is redundant.
 
 
  I'm looking on the implementation of FreeIPA . Looking for
 the
  forums , have some comments that authentication does not
 work with
  Samba4 . Elsewhere say that that possibility exists . Today
 we have
  nearly 200 computers in the domain with the Active
 Directory and one
  wireless captive portal with 1000 + proxy users .
 
  I would like to see if the following scenario is possible :
  1 - Integrating Samba4 with Active Directory , to use
 their GPO and
  authenticate network users through the FreeIPA .
  2 - Authenticate proxy servers in FreeIPA .
  3 - And if it is possible some integration with FreeRADIUS
 
 
 
 Hi Christovam, it is a bit unclear what you mean by
 integrating here.
 
 Is your intent to use Samba4 as an AD domain controller for
 your Windows
 client s and IPA for your servers ?
 
 If that's the case unfortunately this is not possible at the
 moment as
 samba4 does not yet support Forest level trusts.
 A Microsoft AD server can be used this way instead.
 
 Simo.
 
 --
 Simo Sorce * Red Hat, Inc * New York
 
 
 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Christovam Paynes Silva

Hello Simo, thanks for the feedback.
I would use the Samba4 with AD and authenticate my clients windows in
FreeIPA.
Is this possible?


2013/9/11 Simo Sorce s...@redhat.com

 On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote:
  Hello!
 
 
  First I apologize if this topic is redundant.
 
 
  I'm looking on the implementation of FreeIPA . Looking for the
  forums , have some comments that authentication does not work with
  Samba4 . Elsewhere say that that possibility exists . Today we have
  nearly 200 computers in the domain with the Active Directory and one
  wireless captive portal with 1000 + proxy users .
 
  I would like to see if the following scenario is possible :
  1 - Integrating Samba4 with Active Directory , to use their GPO and
  authenticate network users through the FreeIPA .
  2 - Authenticate proxy servers in FreeIPA .
  3 - And if it is possible some integration with FreeRADIUS
 

 Hi Christovam, it is a bit unclear what you mean by integrating here.

 Is your intent to use Samba4 as an AD domain controller for your Windows
 client s and IPA for your servers ?

 If that's the case unfortunately this is not possible at the moment as
 samba4 does not yet support Forest level trusts.
 A Microsoft AD server can be used this way instead.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Christovam Paynes Silva

It is a pity!
Thank you!


2013/9/11 Simo Sorce s...@redhat.com

 On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote:
  Hello Simo, thanks for the feedback.
  I would use the Samba4 with AD and authenticate my clients windows in
  FreeIPA.
  Is this possible?

 It is not possible at this point to combine Samba4 AD and freeIPA.

 Simo.
 
  2013/9/11 Simo Sorce s...@redhat.com
  On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
  wrote:
   Hello!
  
  
   First I apologize if this topic is redundant.
  
  
   I'm looking on the implementation of FreeIPA . Looking for
  the
   forums , have some comments that authentication does not
  work with
   Samba4 . Elsewhere say that that possibility exists . Today
  we have
   nearly 200 computers in the domain with the Active
  Directory and one
   wireless captive portal with 1000 + proxy users .
  
   I would like to see if the following scenario is possible :
   1 - Integrating Samba4 with Active Directory , to use
  their GPO and
   authenticate network users through the FreeIPA .
   2 - Authenticate proxy servers in FreeIPA .
   3 - And if it is possible some integration with FreeRADIUS
  
 
 
  Hi Christovam, it is a bit unclear what you mean by
  integrating here.
 
  Is your intent to use Samba4 as an AD domain controller for
  your Windows
  client s and IPA for your servers ?
 
  If that's the case unfortunately this is not possible at the
  moment as
  samba4 does not yet support Forest level trusts.
  A Microsoft AD server can be used this way instead.
 
  Simo.
 
  --
  Simo Sorce * Red Hat, Inc * New York
 
 
 


 --
 Simo Sorce * Red Hat, Inc * New York


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA and Samba4

[Freeipa-users] FreeIPA and Samba4

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

[Freeipa-users] FreeIPA integrating samba4 + AD

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

31 matches

Site Navigation

Mail list logo

Footer information