Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA
Am 24.03.2013 18:14, schrieb Martin:
> That guide at techslaves.org sounds like a perfect match for our needs,
> unfortunately the map and reality didn't quite match...
>
> Point 4.3 says:
>
>> 4.3. Test the CLI. With an “admin” (or equivalent priv) kerberos
>> ticket, try creating a new group:
>>
>> account@ipaserver:~
>> $ ipa group-add testgrp --desc="Testing the group.py CLI mods"
>> -
>> Added group "testgrp"
>> -
>> Group name: testgrp
>> Description: Testing the group.py CLI mods
>> GID: 1234500010
>> Samba Group Type: 4
> So I did. However, all I get is:
>
>> ipa: ERROR: Unknown option: sambagrouptype
> but I've followed the instructions carefully. There's, however, an added
> complication here and that's that the sambaserver runs on a different
> machine than the IPA-server and since it's not obvious (to me at least)
> which part goes where I ran all the commands on the sambaserver. I bet
> at least some of the steps would have to be run on the IPA-server.
>
> Does anyone have an idea what went wrong? All the commands went through
> without a problem until ipa group-add...
>
> Regards
I'm using this configuration with IPA based on 6.3 and had to patch the
ipa python scripts.
I'm also far from an acceptable solution but still I've written some
helper scripts that are making pain little worse and operatable.
I think you should get a step further with the following:
First change the group.py
diff -Naur
/usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904
/usr/lib/python2.6/site-packages/ipalib/plugins/group.py
--- /usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904
2012-09-04 14:03:33.943724891 +0200
+++ /usr/lib/python2.6/site-packages/ipalib/plugins/group.py
2012-09-04 14:06:07.240468927 +0200
@@ -121,6 +121,13 @@
doc=_('GID (use this option to set it manually)'),
minvalue=1,
),
+Int('sambagrouptype',
+cli_name='sgt',
+label=_('Samba Group Type'),
+doc=_('Samba Group Type (default is 4)'),
+default=4,
+autofill=True,
+),
)
api.register(group)
My script for getting the next available SID:
LDAPbase="dc=example,dc=com"
lastsid=$({ ldapsearch -z0 -LLL -b cn=users,cn=accounts,$LDAPbase
'(objectClass=sambaSAMAccount)' sambaSID 2>/dev/null; ldapsearch -z0
-LLL -b cn=groups,cn=accounts,$LDAPbase
'(objectClass=sambaGroupMapping)' sambaSID 2>/dev/null; }| grep sambaSID
| awk '{ print $2; }' | sort -n -t- -k 7 | tail -1)
echo $lastsid | awk '
BEGIN {
OFS="-";
FS="-";
}
{
print $1,$2,$3,$4,$5,$6,$7+1;
}'
Then create a new group with:
ipa group-add --desc="Testgroup2" testgroup2 --sgt=4
--setattr="sambaSID=$(bash ./ldap-getnext-SID.sh)"
Hope this helps.
Regards Marc.
--
Marc Grimme
E-Mail: grimme( at )atix.de
XING: www.xing.com/profile/Marc_Grimme
ATIX - The Linux & Open Source Company
ATIX Informationstechnologie und Consulting AG
Einsteinstraße 10
85716 Unterschleißheim
www.atix.de
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA
That guide at techslaves.org sounds like a perfect match for our needs, unfortunately the map and reality didn't quite match... Point 4.3 says: > 4.3. Test the CLI. With an “admin” (or equivalent priv) kerberos > ticket, try creating a new group: > > account@ipaserver:~ > $ ipa group-add testgrp --desc="Testing the group.py CLI mods" > - > Added group "testgrp" > - > Group name: testgrp > Description: Testing the group.py CLI mods > GID: 1234500010 > Samba Group Type: 4 So I did. However, all I get is: > ipa: ERROR: Unknown option: sambagrouptype but I've followed the instructions carefully. There's, however, an added complication here and that's that the sambaserver runs on a different machine than the IPA-server and since it's not obvious (to me at least) which part goes where I ran all the commands on the sambaserver. I bet at least some of the steps would have to be run on the IPA-server. Does anyone have an idea what went wrong? All the commands went through without a problem until ipa group-add... Regards /Martin On 03/24/2013 04:06 PM, Simo Sorce wrote: > On Sun, 2013-03-24 at 10:03 +0600, Arthur Fayzullin wrote: >> 24.03.2013 04:27, Martin пишет: >>> Hello, apologize if this is a faq. >>> >>> We're trying to set up a file server that authenticate all users against >>> a FreeIPA-server. The systems are up to date CentOS 6 machines and >>> everything works just swell for logins and NFS4-mounts. However, we're >>> completely stuck on samba. >>> >>> We've tried to figure out how to make a samba 3 use PAM, ldap or >>> whatever (and that way authenticate towards FreeIPA) and right now we're >>> trying Samba 4 because we hoped that would be simpler. So far we're out >>> of luck. >>> >>> What we want is just a stand alone samba server (there's no windows >>> servers on this network) that is connected to FreeIPA. It sounds like a >>> pretty basic thing to get to work, but apparently that's not the case. >>> >>> ...help? Maybe someone has a working config they could share? >>> >>> /Martin > A while ago someone made this post: > http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ > > It is not the only way to configure samba but it is a possible solution > for your request. > > >> This is about samba-sharea, but may be can help >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cifs.html >> > > If you are interested in client cifs just ignore point 4 and 5 of > 11.4.2, they must be cut&paste errors from nfs client instructions, I am > filing a bug to fix it. > > Simo. > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA
On Sun, 2013-03-24 at 10:03 +0600, Arthur Fayzullin wrote: > 24.03.2013 04:27, Martin пишет: > > Hello, apologize if this is a faq. > > > > We're trying to set up a file server that authenticate all users against > > a FreeIPA-server. The systems are up to date CentOS 6 machines and > > everything works just swell for logins and NFS4-mounts. However, we're > > completely stuck on samba. > > > > We've tried to figure out how to make a samba 3 use PAM, ldap or > > whatever (and that way authenticate towards FreeIPA) and right now we're > > trying Samba 4 because we hoped that would be simpler. So far we're out > > of luck. > > > > What we want is just a stand alone samba server (there's no windows > > servers on this network) that is connected to FreeIPA. It sounds like a > > pretty basic thing to get to work, but apparently that's not the case. > > > > ...help? Maybe someone has a working config they could share? > > > > /Martin A while ago someone made this post: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ It is not the only way to configure samba but it is a possible solution for your request. > This is about samba-sharea, but may be can help > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cifs.html > If you are interested in client cifs just ignore point 4 and 5 of 11.4.2, they must be cut&paste errors from nfs client instructions, I am filing a bug to fix it. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA
24.03.2013 04:27, Martin пишет: Hello, apologize if this is a faq. We're trying to set up a file server that authenticate all users against a FreeIPA-server. The systems are up to date CentOS 6 machines and everything works just swell for logins and NFS4-mounts. However, we're completely stuck on samba. We've tried to figure out how to make a samba 3 use PAM, ldap or whatever (and that way authenticate towards FreeIPA) and right now we're trying Samba 4 because we hoped that would be simpler. So far we're out of luck. What we want is just a stand alone samba server (there's no windows servers on this network) that is connected to FreeIPA. It sounds like a pretty basic thing to get to work, but apparently that's not the case. ...help? Maybe someone has a working config they could share? /Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This is about samba-sharea, but may be can help https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cifs.html ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
