Re: [Freeipa-users] ipa samba win7
On Tue, 2012-07-10 at 09:59 -0700, george he wrote: > Hi Simo, > Could you advise how to add > > 1. the samba samAccount objectclass to a user, and > 2. the sambaGroups class to a group? > > I guess I would need to use ldap commands, which I don't know enough. Yes we do not have pre-canned scripts for samba integration yet. > By the way, do I need to add both of the above, or if everybody is > allowed to use the samba share, (and they are all in ipausers group), > I would only need to add the sambaGroups class to ipausers group? Up to you which groups you want to 'samba-enable', however the groups needs to be 'posix' groups, and we recently changed ipausers to be a non-posix group. Of course existing installations will not be affected but if you are planning new ones keep in mind ipausers cannot generally be used as a samba group unless you turn it into a posix groups first. however also keep in mind we discourage using ipausers as a posix group for performance reasons in domain with many users and recommend instead to create smaller targeted groups. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Hi Simo, Could you advise how to add 1. thesamba samAccount objectclass to a user, and 2. the sambaGroups class to a group? I guess I would need to use ldap commands, which I don't know enough. By the way, do I need to add both of the above, or if everybody is allowed to use the samba share, (and they are all in ipausers group), I would only need to add the sambaGroups class to ipausers group? Thanks, George > > From: Simo Sorce >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, July 10, 2012 9:56 AM >Subject: Re: [Freeipa-users] ipa samba win7 > >On Tue, 2012-07-10 at 06:01 -0700, george he wrote: >> Hello all, >> I have an ipa client that is also a file server. How do I set up a >> samba server on the file server so that the files can be accessed by a >> win7 machine, which is not a member of the ipa realm? >> Should I set the file server as a domain controller? How do I deal >> with the "passdb backend" option? I guess I can set it to "ldapsam", >> but the user information is kept on the ipa server, not the file >> server. >> What else should I take care of before I start? >> ps. my ipa version is 2.2, running on fc17. >> > >You can install samba with the ldapsam passdb backend. >security = user will suffice, you do not need to make it a domain >controller. >Authentication will happen only using NTLM, so you will have to add the >samba samAccount objectclass to those users that you want to be able to >log in to samba and the sambaGroups class to those groups you want to >use with samba. >After you added the right objectclass to users you will need to change >the user's password once so that the ipa-pwd-exto plugin can generate NT >hashes for the user. >Once that is done samba should allow you to log in using the ipa >password. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
On Tue, 2012-07-10 at 06:01 -0700, george he wrote: > Hello all, > I have an ipa client that is also a file server. How do I set up a > samba server on the file server so that the files can be accessed by a > win7 machine, which is not a member of the ipa realm? > Should I set the file server as a domain controller? How do I deal > with the "passdb backend" option? I guess I can set it to "ldapsam", > but the user information is kept on the ipa server, not the file > server. > What else should I take care of before I start? > ps. my ipa version is 2.2, running on fc17. > You can install samba with the ldapsam passdb backend. security = user will suffice, you do not need to make it a domain controller. Authentication will happen only using NTLM, so you will have to add the samba samAccount objectclass to those users that you want to be able to log in to samba and the sambaGroups class to those groups you want to use with samba. After you added the right objectclass to users you will need to change the user's password once so that the ipa-pwd-exto plugin can generate NT hashes for the user. Once that is done samba should allow you to log in using the ipa password. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Well, if you want to integrate Windows machines, you'd better to stick with Samba (you can try Samba 4 if you prefer the IPA-like integration). IPA itself "looks and feels" like AD but it is not compatible with AD - it is intended mainly for Linux machines. Ondrej On 07/10/2012 03:25 PM, george he wrote: Hi Ondrej, The win7 is standing alone. I don't have an AD for it. I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. Thanks, George *From:* Ondrej Valousek *To:* freeipa-users@redhat.com *Sent:* Tuesday, July 10, 2012 9:12 AM *Subject:* Re: [Freeipa-users] ipa samba win7 Do you have an AD for the win7 machine or is it just standalone machine? Ondrej On 07/10/2012 03:01 PM, george he wrote: Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Hi Ondrej, The win7 is standing alone. I don't have an AD for it. I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. Thanks, George > > From: Ondrej Valousek >To: freeipa-users@redhat.com >Sent: Tuesday, July 10, 2012 9:12 AM >Subject: Re: [Freeipa-users] ipa samba win7 > > >Do you have an AD for the win7 machine or is it just standalone machine? >Ondrej > >On 07/10/2012 03:01 PM, george he wrote: >Hello all, >>I have an ipa client that is also a file server. How do I set up a samba >>server on the file server so that the files can be accessed by a win7 >>machine, which is not a member of the ipa realm? >>Should I set the file server as a domain controller? How do I deal with the >>"passdb backend" option? I guess I can set it to "ldapsam", but the user >>information is kept on the ipa server, not the file server. >>What else should I take care of before I start? >>ps. my ipa version is 2.2, running on fc17. >> >>Thanks, >>George >> >> >>___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Do you have an AD for the win7 machine or is it just standalone machine? Ondrej On 07/10/2012 03:01 PM, george he wrote: Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa samba win7
Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
