Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Simon Williams wrote: Hi I don't know if anyone has tried what I want to do, I really just want to know if it's possible at the moment. A few pointers to any information would be helpful too! Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC. I have an existing FreeIPA server running on a CentOS machine. It is used to authenticate all users on the network. This works very well, but setting up Windows workstations is a bit of a pain. I also want to provide some network storage for the windows machines. To this end, I would like to set up a Samba 4 server as a slave to FreeIPA so that the Windows workstations could join an AD domain controlled by Samba 4, but actually authenticating against FreeIPA. I really want to keep FreeIPA in the driving seat, but would love to be able to make the Windows workstations behave as though they were on a domain. So you describe above several disconnected cases: 1. Samba file server (smbd) authenticating against FreeIPA. 2. Samba AD DC controlling its own Active Directory-compatible deployment trusting FreeIPA deployment. (1) is possible to implement with few caveats and some details are still rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so. For now, if there is cross-realm trust with Active Directory, each IPA master which serves as domain controller (after ipa-adtrust-install was run on it) could serve as file server but access control setup is a bit complex. (2) is not possible right now due to the fact that Samba AD DC does not support cross-forest trusts right now. There is certain amount of work to be done to implement needed logic in Samba. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? Sent from Windows Mail From: Alexander Bokovoy Sent: Tuesday, 30 April 2013 18:01 To: Simon Williams Cc: freeipa-users On Tue, 30 Apr 2013, Simon Williams wrote: Hi I don't know if anyone has tried what I want to do, I really just want to know if it's possible at the moment. A few pointers to any information would be helpful too! Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC. I have an existing FreeIPA server running on a CentOS machine. It is used to authenticate all users on the network. This works very well, but setting up Windows workstations is a bit of a pain. I also want to provide some network storage for the windows machines. To this end, I would like to set up a Samba 4 server as a slave to FreeIPA so that the Windows workstations could join an AD domain controlled by Samba 4, but actually authenticating against FreeIPA. I really want to keep FreeIPA in the driving seat, but would love to be able to make the Windows workstations behave as though they were on a domain. So you describe above several disconnected cases: 1. Samba file server (smbd) authenticating against FreeIPA. 2. Samba AD DC controlling its own Active Directory-compatible deployment trusting FreeIPA deployment. (1) is possible to implement with few caveats and some details are still rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so. For now, if there is cross-realm trust with Active Directory, each IPA master which serves as domain controller (after ipa-adtrust-install was run on it) could serve as file server but access control setup is a bit complex. (2) is not possible right now due to the fact that Samba AD DC does not support cross-forest trusts right now. There is certain amount of work to be done to implement needed logic in Samba. -- / Alexander Bokovoy___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. So, I tried quick test for this, using admins group: 1. Setup shared space, apply SELinux context and modify ACLs: [root@red samba-4.0.5]# mkdir /srv/testshare [root@red samba-4.0.5]# chcon -t samba_share_t /srv/testshare [root@red samba-4.0.5]# setfacl -m g:admins:rwx /srv/testshare [root@red samba-4.0.5]# getfacl /srv/testshare getfacl: Removing leading '/' from absolute path names # file: srv/testshare # owner: root # group: root user::rwx group::r-x group:admins:rwx mask::rwx other::r-x 2. Create actual Samba share: [root@red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N 3. Obtain TGT for Kerberos identity (admin, belongs to admins group): [root@red samba-4.0.5]# kinit Password for admin@BIRD.CLONE: [root@red samba-4.0.5]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@BIRD.CLONE Valid starting Expires Service principal 30.04.2013 22:10:13 01.05.2013 22:10:11 krbtgt/BIRD.CLONE@BIRD.CLONE Now try connecting to //red.bird.clone/testshare and use it (I've copied few files in several sessions, showing last one): [root@red samba-4.0.5]# smbclient -k //red.bird.clone/testshare lp_load_ex: changing to config backend registry Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5] smb: \ dir . D0 Tue Apr 30 22:06:51 2013 .. D0 Tue Apr 30 21:40:04 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s) smb: \ dir . D0 Tue Apr 30 22:10:35 2013 .. D0 Tue Apr 30 21:40:04 2013 WHATSNEW.txtA47112 Tue Apr 30 22:10:35 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ Check status of the last copied file, notice permissions and SELinux contet: [root@red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: ‘/srv/testshare/WHATSNEW.txt’ Size: 47112 Blocks: 96 IO Block: 4096 regular file Device: fc03h/64515dInode: 153050 Links: 1 Access: (0744/-rwxr--r--) Uid: (156440/ admin) Gid: (156440/ admins) Context: system_u:object_r:samba_share_t:s0 Access: 2013-04-30 22:10:35.484270784 +0300 Modify: 2013-04-30 22:10:35.580239030 +0300 Change: 2013-04-30 22:10:35.579270116 +0300 Birth: - -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. So, I tried quick test for this, using admins group: 1. Setup shared space, apply SELinux context and modify ACLs: [root@red samba-4.0.5]# mkdir /srv/testshare [root@red samba-4.0.5]# chcon -t samba_share_t /srv/testshare [root@red samba-4.0.5]# setfacl -m g:admins:rwx /srv/testshare [root@red samba-4.0.5]# getfacl /srv/testshare getfacl: Removing leading '/' from absolute path names # file: srv/testshare # owner: root # group: root user::rwx group::r-x group:admins:rwx mask::rwx other::r-x 2. Create actual Samba share: [root@red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N 3. Obtain TGT for Kerberos identity (admin, belongs to admins group): [root@red samba-4.0.5]# kinit Password for admin@BIRD.CLONE: [root@red samba-4.0.5]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@BIRD.CLONE Valid starting Expires Service principal 30.04.2013 22:10:13 01.05.2013 22:10:11 krbtgt/BIRD.CLONE@BIRD.CLONE Now try connecting to //red.bird.clone/testshare and use it (I've copied few files in several sessions, showing last one): [root@red samba-4.0.5]# smbclient -k //red.bird.clone/testshare lp_load_ex: changing to config backend registry Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5] smb: \ dir . D0 Tue Apr 30 22:06:51 2013 .. D0 Tue Apr 30 21:40:04 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s) smb: \ dir . D0 Tue Apr 30 22:10:35 2013 .. D0 Tue Apr 30 21:40:04 2013 WHATSNEW.txtA47112 Tue Apr 30 22:10:35 2013 foobar.txt N0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \ Check status of the last copied file, notice permissions and SELinux contet: [root@red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: ‘/srv/testshare/WHATSNEW.txt’ Size: 47112 Blocks: 96 IO Block: 4096 regular file Device: fc03h/64515dInode: 153050 Links: 1 Access: (0744/-rwxr--r--) Uid: (156440/ admin) Gid: (156440/ admins) Context: system_u:object_r:samba_share_t:s0 Access: 2013-04-30 22:10:35.484270784 +0300 Modify: 2013-04-30 22:10:35.580239030 +0300 Change: 2013-04-30 22:10:35.579270116 +0300 Birth: - And for those who are too enjoyed -- this only works for FreeIPA own users. AD users, coming through a trust, are not supported this way yet, only through
Re: [Freeipa-users] Samba 4 with IPA
Thanks for all your help. I'll give it a go and see how far I get. On 30 Apr 2013 19:37, Alexander Bokovoy aboko...@redhat.com wrote: On Tue, 30 Apr 2013, simon.williams@thehelpfulcat.**comsimon.willi...@thehelpfulcat.comwrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#** Using_Samba_shareshttp://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Samba 4 with IPA
On Tue, 30 Apr 2013, Simo Sorce wrote: On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote: We need to add some smart logic to ipasam module to handle it. The logic for trusted users needs to go into winbindd or sssd, ipasam is only about our own domain. In SSSD 1.10 there is new SID translation interface in libsss_nss_idmap that we can use to build such logic. I only pointed to ipasam because this is a place where we know everything about all IPA trusts and idranges and which gets contacted if winbindd is unable to resolve uid/gid to SID. A fallback case. For SSSD-based solution we would need to differentiate between it being installed on IPA master with ipa-adtrust-install configuration and other machines to avoid loops as SSSD on IPA master asks winbindd currently for SID translation and other SSSDs ask IPA's extdom plugin on Directory server side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users