On ke, 23 marras 2016, Troels Hansen wrote:
Hi there
I'm having a bit of a dilemma. I'm going to set up a Samba in a IPA 4.4 / AD
trust, and was wondering what the official or best practise method of joining
the Samba server is:
I see two methods:
- The one from
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
using wbclient.
- A second one where I use ipasam
I was wondering which is actually the officially best practise as it
seems documentation states wbclient, but samba configured on IPA server
uses ipasam?
You are trying to conflate two different configurations into a single
one, this is not going to work, no wonder.
IPA master uses ipasam. Along other features, ipasam stores information
about trusted domains (ldapsam doesn't do that).
IPA client running Samba server currently can only be configured with
the way described in the wiki, with SSSD-provided libwbclient
replacement. It has own limitations, namely lack of NTLMSSP
(password-based) support.
If you need to have Samba file server setup for the trust case, you
either give up password-based access completely and go with the
wiki-described way where only Kerberos-based access would work, or you'd
dedicate one IPA master to be a file server, run ipa-adtrust-install on
it and get a machine with ipasam configuration that will be able to
check passwords with NTLMSSP. The downside is that it is a fully-blown
IPA master, running 389-ds and MIT Kerberos on it.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
