Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA

2013-03-25 Thread Marc Grimme
Am 24.03.2013 18:14, schrieb Martin:
> That guide at techslaves.org sounds like a perfect match for our needs,
> unfortunately the map and reality didn't quite match...
>
> Point 4.3 says:
>
>> 4.3. Test the CLI. With an “admin” (or equivalent priv) kerberos
>> ticket, try creating a new group:
>>
>> account@ipaserver:~
>> $ ipa group-add testgrp --desc="Testing the group.py CLI mods"
>> -
>> Added group "testgrp"
>> -
>>   Group name: testgrp
>>   Description: Testing the group.py CLI mods
>>   GID: 1234500010
>>   Samba Group Type: 4
> So I did. However, all I get is:
>
>> ipa: ERROR: Unknown option: sambagrouptype
> but I've followed the instructions carefully. There's, however, an added
> complication here and that's that the sambaserver runs on a different
> machine than the IPA-server and since it's not obvious (to me at least)
> which part goes where I ran all the commands on the sambaserver. I bet
> at least some of the steps would have to be run on the IPA-server.
>
> Does anyone have an idea what went wrong? All the commands went through
> without a problem until ipa group-add...
>
> Regards
I'm using this configuration with IPA based on 6.3 and had to patch the
ipa python scripts.
I'm also far from an acceptable solution but still I've written some
helper scripts that are making pain little worse and operatable.

I think you should get a step further with the following:

First change the group.py

diff -Naur
/usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904
/usr/lib/python2.6/site-packages/ipalib/plugins/group.py
--- /usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904  
2012-09-04 14:03:33.943724891 +0200
+++ /usr/lib/python2.6/site-packages/ipalib/plugins/group.py   
2012-09-04 14:06:07.240468927 +0200
@@ -121,6 +121,13 @@
 doc=_('GID (use this option to set it manually)'),
 minvalue=1,
 ),
+Int('sambagrouptype',
+cli_name='sgt',
+label=_('Samba Group Type'),
+doc=_('Samba Group Type (default is 4)'),
+default=4,
+autofill=True,
+),
 )
 
 api.register(group)

My script for getting the next available SID:

LDAPbase="dc=example,dc=com"
lastsid=$({ ldapsearch -z0 -LLL -b cn=users,cn=accounts,$LDAPbase
'(objectClass=sambaSAMAccount)' sambaSID 2>/dev/null; ldapsearch -z0
-LLL -b cn=groups,cn=accounts,$LDAPbase
'(objectClass=sambaGroupMapping)' sambaSID 2>/dev/null; }| grep sambaSID
| awk '{ print $2; }' | sort -n -t- -k 7 | tail -1)

echo $lastsid | awk '
BEGIN {
  OFS="-";
  FS="-";
}
{
  print $1,$2,$3,$4,$5,$6,$7+1;
}'

Then create a new group with:
ipa group-add --desc="Testgroup2" testgroup2 --sgt=4
--setattr="sambaSID=$(bash ./ldap-getnext-SID.sh)"

Hope this helps.

Regards Marc.

-- 
Marc Grimme

E-Mail: grimme( at )atix.de
XING: www.xing.com/profile/Marc_Grimme

ATIX - The Linux & Open Source Company

ATIX Informationstechnologie und Consulting AG
Einsteinstraße 10
85716 Unterschleißheim
www.atix.de

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA

2013-03-24 Thread Martin
That guide at techslaves.org sounds like a perfect match for our needs,
unfortunately the map and reality didn't quite match...

Point 4.3 says:

> 4.3. Test the CLI. With an “admin” (or equivalent priv) kerberos
> ticket, try creating a new group:
>
> account@ipaserver:~
> $ ipa group-add testgrp --desc="Testing the group.py CLI mods"
> -
> Added group "testgrp"
> -
>   Group name: testgrp
>   Description: Testing the group.py CLI mods
>   GID: 1234500010
>   Samba Group Type: 4

So I did. However, all I get is:

> ipa: ERROR: Unknown option: sambagrouptype

but I've followed the instructions carefully. There's, however, an added
complication here and that's that the sambaserver runs on a different
machine than the IPA-server and since it's not obvious (to me at least)
which part goes where I ran all the commands on the sambaserver. I bet
at least some of the steps would have to be run on the IPA-server.

Does anyone have an idea what went wrong? All the commands went through
without a problem until ipa group-add...

Regards

/Martin



On 03/24/2013 04:06 PM, Simo Sorce wrote:
> On Sun, 2013-03-24 at 10:03 +0600, Arthur Fayzullin wrote:
>> 24.03.2013 04:27, Martin пишет:
>>> Hello, apologize if this is a faq.
>>>
>>> We're trying to set up a file server that authenticate all users against
>>> a FreeIPA-server. The systems are up to date CentOS 6 machines and
>>> everything works just swell for logins and NFS4-mounts. However, we're
>>> completely stuck on samba.
>>>
>>> We've tried to figure out how to make a samba 3 use PAM, ldap or
>>> whatever (and that way authenticate towards FreeIPA) and right now we're
>>> trying Samba 4 because we hoped that would be simpler. So far we're out
>>> of luck.
>>>
>>> What we want is just a stand alone samba server (there's no windows
>>> servers on this network) that is connected to FreeIPA. It sounds like a
>>> pretty basic thing to get to work, but apparently that's not the case.
>>>
>>> ...help? Maybe someone has a working config they could share?
>>>
>>> /Martin
> A while ago someone made this post:
> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
>
> It is not the only way to configure samba but it is a possible solution
> for your request.
>
>
>> This is about samba-sharea, but may be can help
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cifs.html
>>
>
> If you are interested in client cifs just ignore point 4 and 5 of
> 11.4.2, they must be cut&paste errors from nfs client instructions, I am
> filing a bug to fix it.
>
> Simo.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA

2013-03-24 Thread Simo Sorce
On Sun, 2013-03-24 at 10:03 +0600, Arthur Fayzullin wrote:
> 24.03.2013 04:27, Martin пишет:
> > Hello, apologize if this is a faq.
> >
> > We're trying to set up a file server that authenticate all users against
> > a FreeIPA-server. The systems are up to date CentOS 6 machines and
> > everything works just swell for logins and NFS4-mounts. However, we're
> > completely stuck on samba.
> >
> > We've tried to figure out how to make a samba 3 use PAM, ldap or
> > whatever (and that way authenticate towards FreeIPA) and right now we're
> > trying Samba 4 because we hoped that would be simpler. So far we're out
> > of luck.
> >
> > What we want is just a stand alone samba server (there's no windows
> > servers on this network) that is connected to FreeIPA. It sounds like a
> > pretty basic thing to get to work, but apparently that's not the case.
> >
> > ...help? Maybe someone has a working config they could share?
> >
> > /Martin

A while ago someone made this post:
http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

It is not the only way to configure samba but it is a possible solution
for your request.


> This is about samba-sharea, but may be can help
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cifs.html
> 


If you are interested in client cifs just ignore point 4 and 5 of
11.4.2, they must be cut&paste errors from nfs client instructions, I am
filing a bug to fix it.

Simo.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA

2013-03-23 Thread Arthur Fayzullin

24.03.2013 04:27, Martin пишет:

Hello, apologize if this is a faq.

We're trying to set up a file server that authenticate all users against
a FreeIPA-server. The systems are up to date CentOS 6 machines and
everything works just swell for logins and NFS4-mounts. However, we're
completely stuck on samba.

We've tried to figure out how to make a samba 3 use PAM, ldap or
whatever (and that way authenticate towards FreeIPA) and right now we're
trying Samba 4 because we hoped that would be simpler. So far we're out
of luck.

What we want is just a stand alone samba server (there's no windows
servers on this network) that is connected to FreeIPA. It sounds like a
pretty basic thing to get to work, but apparently that's not the case.

...help? Maybe someone has a working config they could share?

/Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

This is about samba-sharea, but may be can help
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cifs.html

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users