Re: [Freeipa-users] freeipa-samba integration and windows clients
Hi Dimitri Jakub, Yes for us it is use case. Non-domain logins / NTLMSSP support in SSSD is the final component we seem to need to allow Windows clients from a non-trusted AD domain to access Samba shares using a username and password combination, without having to use Kerberos. IPA and SSSD is a phenomenal body of work that has huge potential, all your work is much appreciated. Thanks, Dylan. On 12 May 2015 at 17:47, Dmitri Pal d...@redhat.com wrote: On 05/12/2015 07:03 AM, Dylan Evans wrote: Hi Jakub, It's good to know it's going to happen, let's hope it gets into 1.13 and everyone has a very productive summer! I've been watching IPA for a couple of years and this is the last thing that's preventing it from being implemented in our production environment. So is this use case the main reason of needing NTLMSSP support or there are some other use cases that drive this requirement? Can you please share them? Thanks, Dylan. On 11 May 2015 at 20:42, John Obaterspok john.obaters...@gmail.com wrote: I have about the same setup: This is the setup (everything is up-to-date): - ipa-server: F21, ipa-server 4.1, samba 4.1 - win-client: Windows 7 Home Premium I tried to enroll the win-client in the domain but failed on the windows side due to home editions not being able to join a domain. But I can still access shares from the win-client by user/pwd The only difference in my setup is that I use samba server on the ipa-server itself. -- john 2015-05-10 19:02 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
On 05/12/2015 07:03 AM, Dylan Evans wrote: Hi Jakub, It's good to know it's going to happen, let's hope it gets into 1.13 and everyone has a very productive summer! I've been watching IPA for a couple of years and this is the last thing that's preventing it from being implemented in our production environment. So is this use case the main reason of needing NTLMSSP support or there are some other use cases that drive this requirement? Can you please share them? Thanks, Dylan. On 11 May 2015 at 20:42, John Obaterspok john.obaters...@gmail.com wrote: I have about the same setup: This is the setup (everything is up-to-date): - ipa-server: F21, ipa-server 4.1, samba 4.1 - win-client: Windows 7 Home Premium I tried to enroll the win-client in the domain but failed on the windows side due to home editions not being able to join a domain. But I can still access shares from the win-client by user/pwd The only difference in my setup is that I use samba server on the ipa-server itself. -- john 2015-05-10 19:02 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
Hi Jakub, It's good to know it's going to happen, let's hope it gets into 1.13 and everyone has a very productive summer! I've been watching IPA for a couple of years and this is the last thing that's preventing it from being implemented in our production environment. Thanks, Dylan. On 11 May 2015 at 20:42, John Obaterspok john.obaters...@gmail.com wrote: I have about the same setup: This is the setup (everything is up-to-date): - ipa-server: F21, ipa-server 4.1, samba 4.1 - win-client: Windows 7 Home Premium I tried to enroll the win-client in the domain but failed on the windows side due to home editions not being able to join a domain. But I can still access shares from the win-client by user/pwd The only difference in my setup is that I use samba server on the ipa-server itself. -- john 2015-05-10 19:02 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
Hi all, Thank you very much for all your feedback. John, I've already tried your setup and it works nicely ... but I still need to split services among VMs, so no chance anyway. And I agree with you: it's a must-have feature. As Dylan, it's the last thing that keeps me from moving it to production (and I want it to ;-), but I must admit that design/implementation seems complex as Alexander said. I hope it will be solved ASAP. Thanks! Regards, A. 2015-05-12 13:03 GMT+02:00 Dylan Evans devan...@gmail.com: Hi Jakub, It's good to know it's going to happen, let's hope it gets into 1.13 and everyone has a very productive summer! I've been watching IPA for a couple of years and this is the last thing that's preventing it from being implemented in our production environment. Thanks, Dylan. On 11 May 2015 at 20:42, John Obaterspok john.obaters...@gmail.com wrote: I have about the same setup: This is the setup (everything is up-to-date): - ipa-server: F21, ipa-server 4.1, samba 4.1 - win-client: Windows 7 Home Premium I tried to enroll the win-client in the domain but failed on the windows side due to home editions not being able to join a domain. But I can still access shares from the win-client by user/pwd The only difference in my setup is that I use samba server on the ipa-server itself. -- john 2015-05-10 19:02 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
I have about the same setup: This is the setup (everything is up-to-date): - ipa-server: F21, ipa-server 4.1, samba 4.1 - win-client: Windows 7 Home Premium I tried to enroll the win-client in the domain but failed on the windows side due to home editions not being able to join a domain. But I can still access shares from the win-client by user/pwd The only difference in my setup is that I use samba server on the ipa-server itself. -- john 2015-05-10 19:02 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote: By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? It is a nice-to-have feature for the next SSSD version (1.13, this summber), but my hopes are not high that we're going to make it. I think 1.14 is more realistic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
On Thu, 07 May 2015, box 31978 wrote: Hello Alexander, Thank you very much for your answers! If Windows client is not a part of the domain, there is no SSO and no Kerberos. Windows client will attempt using NTLMSSP authentication. ... Right now -- yes. You are saying you've following FreeIPA's Samba integration guide which I assume is http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA , which only works for Kerberos authentication because NTLMSSP is not supported by the SSSD. Yes, your assumption is absolutely exact ;-) That's clear now, my thoughts went on this direction too: anyone is handling a new kerberos ticket request because of authentication type. Not really. The story is more complex than it seems and right now there is no ready-made solution for out-of-domain Windows clients. Ok, I understand. Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this works fine on Samba3 and 389-DS), but I'm not sure about the configuration. Can file-server's SSSD have Kerberos auth (result of ipa-client-install) and LDAP auth (added settings in sssd.conf) at the same time for the same domain? Will it work together or will I've to choose on of the two? SSSD can but you need Samba to be aware of these things because Samba needs way more than just passwords. FreeIPA uses different LDAP schema for the additional attributes compared to what standard Samba PASSDB module for LDAP expects so if you enable that one in smb.conf, you'll get nothing. As Christoph pointed in the another email, you may try to enable older Samba-compatible scheme but that wouldn't play well with IPA's support for SIDs (including on SSSD side) as we are using different attributes and you'll be forced to maintain certain aspects manually. There is hope to get NTLMSSP support implemented but not soon, we have bits in place but there is still work to be done. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
Hello Alexander, Thank you very much for your answers! If Windows client is not a part of the domain, there is no SSO and no Kerberos. Windows client will attempt using NTLMSSP authentication. ... Right now -- yes. You are saying you've following FreeIPA's Samba integration guide which I assume is http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA , which only works for Kerberos authentication because NTLMSSP is not supported by the SSSD. Yes, your assumption is absolutely exact ;-) That's clear now, my thoughts went on this direction too: anyone is handling a new kerberos ticket request because of authentication type. Not really. The story is more complex than it seems and right now there is no ready-made solution for out-of-domain Windows clients. Ok, I understand. Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this works fine on Samba3 and 389-DS), but I'm not sure about the configuration. Can file-server's SSSD have Kerberos auth (result of ipa-client-install) and LDAP auth (added settings in sssd.conf) at the same time for the same domain? Will it work together or will I've to choose on of the two? Thank you! Regards, A. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
Hello Chris, And thank you too for your answers! Our end users use a mix of Windows and OSX laptops / workstations. These are not members of any kind of domain. They access our file servers via Samba shares authenticated by freeIPA. The samba server is a freeIPA client. The samba config on the freeIPA side looks like it was done along the lines in the link http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The ldap config in our samba smb.conf looks like this: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off That's interesting: Samba as an IPA client and resolving via LDAP, what about sssd.conf? I already know the link (and I don't like very much patching the code), but it won't be needed anymore since “ipa-server-trust-ad” is out, right? Thanks and cheers! A. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
Hi Alexander, Thank you very much for all that precious information. SSSD can but you need Samba to be aware of these things because Samba needs way more than just passwords. FreeIPA uses different LDAP schema for the additional attributes compared to what standard Samba PASSDB module for LDAP expects so if you enable that one in smb.conf, you'll get nothing. You're absolutely correct. Just after mailing you, I've been testing it and Samba can successfully connect to IPA's LDAP but didn't find password's backend. As Christoph pointed in the another email, you may try to enable older Samba-compatible scheme but that wouldn't play well with IPA's support for SIDs (including on SSSD side) as we are using different attributes and you'll be forced to maintain certain aspects manually. Then, I'd go for a straight-forward 389-DS instance with Samba schema and authenticate other servers and clients against it via LDAP + TLS over SSSD. I've got this setup running on production systems and works flawlessly for a couple of years now. I don't like very much patching here and there, and then having to fight with upstream updates that can broke something. Everything must (almost) work out of the box. There is hope to get NTLMSSP support implemented but not soon, we have bits in place but there is still work to be done. Your work with IPA is absolutely awesome. I follow the project from early versions and I'm a big proponent of moving to from my classic LDAP approach. I think IPA is the way to go for further deployments, but I understand that mixed environments (as mine) are complicated to solve: lots of work and many things that can be problematic. Again, thank you very much. Regards, A. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html. +1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? Thanks, Dylan. On 7 May 2015 at 08:48, Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 07 May 2015, box 31978 wrote: Hello Alexander, Thank you very much for your answers! If Windows client is not a part of the domain, there is no SSO and no Kerberos. Windows client will attempt using NTLMSSP authentication. ... Right now -- yes. You are saying you've following FreeIPA's Samba integration guide which I assume is http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA , which only works for Kerberos authentication because NTLMSSP is not supported by the SSSD. Yes, your assumption is absolutely exact ;-) That's clear now, my thoughts went on this direction too: anyone is handling a new kerberos ticket request because of authentication type. Not really. The story is more complex than it seems and right now there is no ready-made solution for out-of-domain Windows clients. Ok, I understand. Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this works fine on Samba3 and 389-DS), but I'm not sure about the configuration. Can file-server's SSSD have Kerberos auth (result of ipa-client-install) and LDAP auth (added settings in sssd.conf) at the same time for the same domain? Will it work together or will I've to choose on of the two? SSSD can but you need Samba to be aware of these things because Samba needs way more than just passwords. FreeIPA uses different LDAP schema for the additional attributes compared to what standard Samba PASSDB module for LDAP expects so if you enable that one in smb.conf, you'll get nothing. As Christoph pointed in the another email, you may try to enable older Samba-compatible scheme but that wouldn't play well with IPA's support for SIDs (including on SSSD side) as we are using different attributes and you'll be forced to maintain certain aspects manually. There is hope to get NTLMSSP support implemented but not soon, we have bits in place but there is still work to be done. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-samba integration and windows clients
Hi Yes, it's possible to operate freeIPA and Samba as you suggest, we have been doing so for some years now (with several freeIPA and Samba versions). Our end users use a mix of Windows and OSX laptops / workstations. These are not members of any kind of domain. They access our file servers via Samba shares authenticated by freeIPA. The samba server is a freeIPA client. The samba config on the freeIPA side looks like it was done along the lines in the link http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The ldap config in our samba smb.conf looks like this: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off Cheers Chris From: box 31978 box31...@gmail.com To: freeipa-users@redhat.com Date: 06.05.2015 23:18 Subject:[Freeipa-users] freeipa-samba integration and windows clients Sent by:freeipa-users-boun...@redhat.com Hello everyone, These days I'm testing integration between FreeIPA4 and Samba4 at file sharing level. Everything seems to work fine except share access from a standalone Windows client. This is the setup (everything is up-to-date): - ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plugin - file-server: CentOS 7.1, ipa-client 4.1, samba 4.1 (sharing home dirs, not a DC) - win-client: Windows 7 Home Premium Config is done following the FreeIPA's Samba integration guide, and testing with samba-client from ipa-server (or any other ipa-joined machine) to file-server using kerberos after calling kinit is successful (file manipulation included). Attempts to connect to the same share from win-client ends up with a log in error. Analyzing logs: Samba can't find the user because it can't find any DC, and that's because Samba can't resolve workgroup name (note that's not a question of SSO: win-client asks to type username and password). It seems that maybe Samba is not handling new kerberos ticket requests. By now, my questions are: - Can this setup work or it is absolutely necessary that any Windows client expecting to access Samba shares have to be already joined to a trusted domain? - If this setup can't be done, I'll go for an LDAP config in file-server against ipa-server, but then, can I maintain the file-server joined with ipa-client? Will it work? Feel free to ask whatever you want, any suggestions will be welcome. Thanks! Regards, A.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA samba integration
Hi List I just recently deployed FreeIPA 2.2 on a CentOS 6 box. Everything went very smooth until I got to the issue of Samba integeration. What I want to accomplish is a dumb Windows file sharing server, without domain logons or anything. I just want Windows (and Linux) users to be able to map a share using the user name and password they have in the FreeIPA database. The windows clients do not have kerberos and are not authenticated against the FreeIPA server. I gathered some ideas from http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ and http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html neither of which work to 100% or go into the smb.conf part of the setup. Are there any other HowTos on this that I may have missed? Does anyone have a working configuration similar to this? Regards, David Björkevik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
