Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Guys, Please keep this topic updated as many people seem to have this question. What's the status at your side ? Cheers, Matt 2015-09-04 15:27 GMT+02:00 Matt . <yamakasi@gmail.com>: > Hi, > > Does everyone have this working or gived up on it ? > > Chers, > > Matt > > 2015-08-26 20:07 GMT+02:00 Matt . <yamakasi@gmail.com>: >> Chris, >> >> How far are you on this ? I'm stuck atm :( >> >> I hope you have some reference notes to follow and check out. >> >> Thanks! >> >> Matt >> >> 2015-08-20 22:15 GMT+02:00 Matt . <yamakasi@gmail.com>: >>> Hi Chris, >>> >>> Would be great to see! >>> >>> If I have it working and we have 2-3 testcases I think we can add it >>> to the IPA docs! >>> >>> Keep me updated! >>> >>> Thanks >>> >>> Matt >>> >>> 2015-08-20 8:49 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: >>>> Matt >>>> >>>> Once I got Samba and FreeIPA integrated (by the "good old extensions" >>>> path), I always use FreeIPA to administer users. I have never tried the >>>> samba tools like smbpasswd. >>>> >>>> I still have a wiki how-to in the works, but I had to focus on some other >>>> issues for a while. >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." <yamakasi@gmail.com> >>>> To: Youenn PIOLET <piole...@gmail.com> >>>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>>> "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>>> Date: 20.08.2015 08:12 >>>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>>> >>>> >>>> >>>> HI Guys, >>>> >>>> Anyone still a working clue/test here ? >>>> >>>> I didn't came further as it seems there need to be some domain join / >>>> match following the freeipa devs. >>>> >>>> Thanks! >>>> >>>> Matt >>>> >>>> 2015-08-13 13:09 GMT+02:00 Matt . <yamakasi@gmail.com>: >>>>> Hi, >>>>> >>>>> I might have found somthing which I already seen in the logs. >>>>> >>>>> I did a smbpasswd my username on the samba server, it connects to ldap >>>>> very well. I give my new password and get the following: >>>>> >>>>> smbldap_search_ext: base => [dc=my,dc=domain], filter => >>>>> [(&(objectClass=ipaNTGroupAttrs)(| >>>> (ipaNTSecurityIdentifier=S-1my--sid---)))], >>>>> scope => [2] >>>>> Attribute [displayName] not found. >>>>> Could not retrieve 'displayName' attribute from cn=Default SMB >>>>> Group,cn=groups,cn=accounts,dc=my,dc=domain >>>>> Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2) >>>>> >>>>> So something is missing! >>>>> >>>>> Thanks so far guys! >>>>> >>>>> Cheers, >>>>> >>>>> Matt >>>>> >>>>> 2015-08-13 12:02 GMT+02:00 Matt . <yamakasi@gmail.com>: >>>>>> Hi Youenn, >>>>>> >>>>>> OK thanks! this takes me a little but futher now and I see some good >>>>>> stuff in my logging. >>>>>> >>>>>> I'm testing on a Windows 10 Machine which is not member of an AD or >>>>>> so, so that might be my issue for now ? >>>>>> >>>>>> When testing on the samba box itself as my user I get: >>>>>> >>>>>> >>>>>> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares >>>>>> >>>>>> ... >>>>>> Checking NTLMSSP password for MSP\myusername failed: >>>> NT_STATUS_WRONG_PASSWORD >>>>>> ... >>>>>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >>>>>> >>>>>> >>>>>> Maybe I have an issue with encrypted passwords ? >>>>>> >>>>>> >>>>>> When we have this all working, I think we have a howto :D >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Matt >>>&
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Does everyone have this working or gived up on it ? Chers, Matt 2015-08-26 20:07 GMT+02:00 Matt . <yamakasi@gmail.com>: > Chris, > > How far are you on this ? I'm stuck atm :( > > I hope you have some reference notes to follow and check out. > > Thanks! > > Matt > > 2015-08-20 22:15 GMT+02:00 Matt . <yamakasi@gmail.com>: >> Hi Chris, >> >> Would be great to see! >> >> If I have it working and we have 2-3 testcases I think we can add it >> to the IPA docs! >> >> Keep me updated! >> >> Thanks >> >> Matt >> >> 2015-08-20 8:49 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: >>> Matt >>> >>> Once I got Samba and FreeIPA integrated (by the "good old extensions" >>> path), I always use FreeIPA to administer users. I have never tried the >>> samba tools like smbpasswd. >>> >>> I still have a wiki how-to in the works, but I had to focus on some other >>> issues for a while. >>> >>> Chris >>> >>> >>> >>> From: "Matt ." <yamakasi....@gmail.com> >>> To: Youenn PIOLET <piole...@gmail.com> >>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>> "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>> Date: 20.08.2015 08:12 >>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> HI Guys, >>> >>> Anyone still a working clue/test here ? >>> >>> I didn't came further as it seems there need to be some domain join / >>> match following the freeipa devs. >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-13 13:09 GMT+02:00 Matt . <yamakasi@gmail.com>: >>>> Hi, >>>> >>>> I might have found somthing which I already seen in the logs. >>>> >>>> I did a smbpasswd my username on the samba server, it connects to ldap >>>> very well. I give my new password and get the following: >>>> >>>> smbldap_search_ext: base => [dc=my,dc=domain], filter => >>>> [(&(objectClass=ipaNTGroupAttrs)(| >>> (ipaNTSecurityIdentifier=S-1my--sid---)))], >>>> scope => [2] >>>> Attribute [displayName] not found. >>>> Could not retrieve 'displayName' attribute from cn=Default SMB >>>> Group,cn=groups,cn=accounts,dc=my,dc=domain >>>> Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2) >>>> >>>> So something is missing! >>>> >>>> Thanks so far guys! >>>> >>>> Cheers, >>>> >>>> Matt >>>> >>>> 2015-08-13 12:02 GMT+02:00 Matt . <yamakasi@gmail.com>: >>>>> Hi Youenn, >>>>> >>>>> OK thanks! this takes me a little but futher now and I see some good >>>>> stuff in my logging. >>>>> >>>>> I'm testing on a Windows 10 Machine which is not member of an AD or >>>>> so, so that might be my issue for now ? >>>>> >>>>> When testing on the samba box itself as my user I get: >>>>> >>>>> >>>>> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares >>>>> >>>>> ... >>>>> Checking NTLMSSP password for MSP\myusername failed: >>> NT_STATUS_WRONG_PASSWORD >>>>> ... >>>>> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD >>>>> >>>>> >>>>> Maybe I have an issue with encrypted passwords ? >>>>> >>>>> >>>>> When we have this all working, I think we have a howto :D >>>>> >>>>> Thanks! >>>>> >>>>> Matt >>>>> >>>>> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET <piole...@gmail.com>: >>>>>> Hi Matt >>>>>> >>>>>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? >>>>>> sambaSamAccount is not needed anymore that way. >>>>>> - Default IPA Way : won't work if your Windows is not part of a domain >>>>>> controller. DOMAIN\username may work for some users using Windows 7 - >>> not 8 >>>>>> nor 10 (it did for me but I was the only one at the office... quite >>> useless) >>>>>>
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Chris, How far are you on this ? I'm stuck atm :( I hope you have some reference notes to follow and check out. Thanks! Matt 2015-08-20 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Would be great to see! If I have it working and we have 2-3 testcases I think we can add it to the IPA docs! Keep me updated! Thanks Matt 2015-08-20 8:49 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Matt Once I got Samba and FreeIPA integrated (by the good old extensions path), I always use FreeIPA to administer users. I have never tried the samba tools like smbpasswd. I still have a wiki how-to in the works, but I had to focus on some other issues for a while. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 20.08.2015 08:12 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base = [dc=my,dc=domain], filter = [((objectClass=ipaNTGroupAttrs)(| (ipaNTSecurityIdentifier=S-1my--sid---)))], scope = [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base = [dc=my,dc=domain], filter = [((objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1my--sid---)))], scope = [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris, Would be great to see! If I have it working and we have 2-3 testcases I think we can add it to the IPA docs! Keep me updated! Thanks Matt 2015-08-20 8:49 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Matt Once I got Samba and FreeIPA integrated (by the good old extensions path), I always use FreeIPA to administer users. I have never tried the samba tools like smbpasswd. I still have a wiki how-to in the works, but I had to focus on some other issues for a while. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 20.08.2015 08:12 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base = [dc=my,dc=domain], filter = [((objectClass=ipaNTGroupAttrs)(| (ipaNTSecurityIdentifier=S-1my--sid---)))], scope = [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Matt Once I got Samba and FreeIPA integrated (by the good old extensions path), I always use FreeIPA to administer users. I have never tried the samba tools like smbpasswd. I still have a wiki how-to in the works, but I had to focus on some other issues for a while. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 20.08.2015 08:12 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base = [dc=my,dc=domain], filter = [((objectClass=ipaNTGroupAttrs)(| (ipaNTSecurityIdentifier=S-1my--sid---)))], scope = [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com : The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com : ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html . I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, I might have found somthing which I already seen in the logs. I did a smbpasswd my username on the samba server, it connects to ldap very well. I give my new password and get the following: smbldap_search_ext: base = [dc=my,dc=domain], filter = [((objectClass=ipaNTGroupAttrs)(|(ipaNTSecurityIdentifier=S-1my--sid---)))], scope = [2] Attribute [displayName] not found. Could not retrieve 'displayName' attribute from cn=Default SMB Group,cn=groups,cn=accounts,dc=my,dc=domain Sid S-1my--sid--- - MYDOMAIN\Default SMB Group(2) So something is missing! Thanks so far guys! Cheers, Matt 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing on the samba box itself as my user I get: [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08-13 10:53 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hi Matt - CentOS : Did you copy ipasam.so and change your smb.conf accordingly? sambaSamAccount is not needed anymore that way. - Default IPA Way : won't work if your Windows is not part of a domain controller. DOMAIN\username may work for some users using Windows 7 - not 8 nor 10 (it did for me but I was the only one at the office... quite useless) This config may work on your CentOS (for the ipasam way): workgroup = TEST realm = TEST.NET kerberos method = dedicated keytab dedicated keytab file = FILE:/./samba.keytab create krb5 conf = no security = user encrypt passwords = true passdb backend = ipasam:ldaps://youripa.test.net ldapsam:trusted = yes ldapsuffix = test.net ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts -- Youenn Piolet piole...@gmail.com 2015-08-12 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, OK the default IPA way works great actually when testing it as described here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA On the samba server I can auth and see my share where I want to connect to. The issue is, on Windows I cannot auth, even when I do DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html . I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn PIOLET piole...@gmail.com Date: 06.08.2015 16:19 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html . I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn PIOLET piole...@gmail.com Date: 06.08.2015 16:19 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote: Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being. Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. I talked to the Ubuntu maintainer last week and he said that: * SSSD is built against MIT. * Samba against Heimdal. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Yes that is known for SSSD, but there must be another way maybe ? I wonder what the future is there, as it seems there is non when this is not changed I guess. 2015-08-09 9:11 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote: Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being. Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. I talked to the Ubuntu maintainer last week and he said that: * SSSD is built against MIT. * Samba against Heimdal. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On Sun, Aug 09, 2015 at 10:23:50AM +0200, Matt . wrote: Hi, Yes that is known for SSSD, but there must be another way maybe ? I wonder what the future is there, as it seems there is non when this is not changed I guess. The future is MIT according to the recent development and commits to samba git tree :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html. I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn PIOLET piole...@gmail.com Date: 06.08.2015 16:19 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Make sure your user has ipaNTHash attribute :) You may want to debug authentication on samba server, I usually do this: `tail -f /var/log/samba/log* | grep username Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com: Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Youenn Good news that you have got an integration working
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html . I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn PIOLET piole...@gmail.com Date: 06.08.2015 16:19 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Alexander As this particular stick has many ends, it is easy to grab the wrong one! 8-) So it sounds like there are / will be at least four integration paths to integrate Samba and FreeIPA. For clarity my current understanding is as follows: 1) The longer term path via SSSD and NTLMSSP 1.1) Documentation: Not yet documented, as under development 1.2) Viability 4.x/4.x: In development, not yet available. (??? Any idea of a possible timeline ???) 1.3) Schema Extensions: Will this path use the AD Trust Extensions? ipasam module? 1.4) Active Directory: Will this path work without AD (like 2) below)? 1.5) Other: Should be more scalable (less duplication of function e.g. connections, caches) 2) A path using the IPASAM module + AD Trust Extensions to the FreeIPA schema, 2.1) Documentation: Is currently best documented further back in this thread (post(s) from Youeen) 2.2) Viability 4.x/4.x: Is viable for FreeIPA 4.x / Samba 4.x. This is the path successfully tested / implemented by Youeen. However, while viable, this solution is not actively supported, as efforts are focussed on 1) above. 2.3) Schema Extensions: Requires schema extensions (ipa-adtrust-install). 2.4) Active Directory: Despite the AD extensions, NO Active Directory required in the architecture. 2.5) Other: half LDAP (to read NTHash/SID), half Kerberos (to bind samba to the LDAP). 3) A path using the LDAPSAM module + Samba Extensions to the FreeIPA schema. 3.1) Documentation: Is best documented under http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/, (although this article contains some small errors). 3.2) Viability 4.x/4.x: May no longer be fully viable for FreeIPA 4.x / Samba 4.x, or only viable with some quirks / workarounds. 3.3) Schema Extensions: Requires schema extensions via LDAPMODIFY / LDAPADD scripts + changes to FreeIPA python scripts and WebUI 3.4) Active Directory: NO Active Directory required in the architecture. (Samba clients can be “islands”). 3.5) Other: Is the path that I am currently using in production (originally with 3.x/3.x, now with 4.x/4.x) 4) A path using the kerberos module and Active Directory + AD Trust Extensions to the FreeIPA schema. 4.1) Documentation: Is documented under: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA 4.2) Viability 4.x/4.x: ??? The article above mentions FreeIPA 3.3 +, but also RHEL 7.1 preferred / sssd 1.12.2+, which suggests 4.x / 4.x. 4.3) Schema Extensions: Requires schema extensions (ipa-adtrust-install) 4.4) Active Directory: Requires Active Directory + Domain in the architecture. (i.e. Samba clients are NOT “islands”). If we can confirm / correct the above, it can serve as the basis for a FreeIPA Wiki Page, with child How-to articles for each of the viable solutions. As I am using solution 3) in production, yet other have problems getting it working at all, I have now set up a throwaway VM running FreeIPA 4.1 and Samba 4.1.12, and can experiment freely with 3), and after that with 2). Cheers Chris From: Alexander Bokovoy aboko...@redhat.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Matt . yamakasi@gmail.com, freeipa-users@redhat.com freeipa-users@redhat.com Date: 07.08.2015 23:09 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA On Thu, 06 Aug 2015, Christopher Lamb wrote: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On Fri, 07 Aug 2015, Matt . wrote: Hi Alexander, Yes this is know, but it's not usable yet, at least not on an Ubuntu Samba server as far as I know ? If so, maybe you can help us out here to clear this up how to do it. Sorry, I cannot help you with Ubuntu setup, you need to figure it out yourself. I did write original instructions Youenn referred to, so I know they work well and Youenn's configuration just proves that. Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided Samba build this way. Anything you would do, you'd be out of supported way -- either when you modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos. I don't want to spend time on digging up unsupported configuration details when the same time could be spent on improving FreeIPA 4.2 and bringing SSSD+Samba setup closer to where we want to have it. Maybe it sounds harsh but we have to decide what battles we think are more important and to me this one is more important even considering my spare time. Thanks! Matt 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 06 Aug 2015, Christopher Lamb wrote: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Alexander, Yes this is know, but it's not usable yet, at least not on an Ubuntu Samba server as far as I know ? If so, maybe you can help us out here to clear this up how to do it. Thanks! Matt 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 06 Aug 2015, Christopher Lamb wrote: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being. Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. Cheers, Matt 2015-08-07 23:37 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Fri, 07 Aug 2015, Matt . wrote: Hi Alexander, Yes this is know, but it's not usable yet, at least not on an Ubuntu Samba server as far as I know ? If so, maybe you can help us out here to clear this up how to do it. Sorry, I cannot help you with Ubuntu setup, you need to figure it out yourself. I did write original instructions Youenn referred to, so I know they work well and Youenn's configuration just proves that. Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided Samba build this way. Anything you would do, you'd be out of supported way -- either when you modify IPA LDAP schema or when build Samba in Ubuntu with MIT Kerberos. I don't want to spend time on digging up unsupported configuration details when the same time could be spent on improving FreeIPA 4.2 and bringing SSSD+Samba setup closer to where we want to have it. Maybe it sounds harsh but we have to decide what battles we think are more important and to me this one is more important even considering my spare time. Thanks! Matt 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 06 Aug 2015, Christopher Lamb wrote: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Make sure your user has ipaNTHash attribute :) You may want to debug authentication on samba server, I usually do this: `tail -f /var/log/samba/log* | grep username Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com: Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 14:51 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was already there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping When adding a user. I also see class as fielname under my Last name, this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt If I use Apache
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Make sure your user has ipaNTHash attribute :) You may want to debug authentication on samba server, I usually do this: `tail -f /var/log/samba/log* | grep username Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com: Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 14:51 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was already there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On Thu, 06 Aug 2015, Christopher Lamb wrote: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Yes, you are at the wrong end of the stick. You don't need AD in the architecture here. You can reuse IPA design for AD integration via trust for normal Samba integration but use ipasam.so instead of ldapsam.so. This is what Youenn did. The only way we don't support it (yet) is because we think doing a longer term solution via SSSD and NTLMSSP support is better scalability vise -- your SSSD client is already having LDAP connection and is already holding identity mappings in the cache so there is no need to run separate LDAP connection in smbd/winbindd for that and cache the same data in a different way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Make sure your user has ipaNTHash attribute :) You may want to debug authentication on samba server, I usually do this: `tail -f /var/log/samba/log* | grep username Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com: Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 14:51 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was already there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping When adding a user. I also see class as fielname under my Last name, this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me ipaCustomFields as attribute type in a drop down list. Once we get this cracked, we really must write a how-to on the FreeIPA Wiki. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 07:31 Subject:Re: [Freeipa
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check ipaNTHash values are here on user objects - create a CIFS service for your samba server - Create user roles/permissions as described here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa so that CIFS service will be able to read ipaNTsecurityidentifier and ipaNTHash attributes in LDAP (ACI) - SCP ipasam.so module to your cifs server (this is the magic trick) : scp /usr/lib64/samba/pdb/ipasam.so root@samba-server.domain:/usr/lib64/samba/pdb/ You can also try to recompile it. On SAMBA Server side (CentOS 7...) - Install server keytab file for CIFS - check ipasam.so is here. - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI uid=admin ipaNTHash` thanks to kerberos - make your smb.conf following the linked thread and restart service I don't know if it works in Ubuntu. I know sssd has evolved quickly and ipasam may use quite recent functionalities, the best is to just try. You can read in previous thread : If you insist on Ubuntu you need to get ipasam somewhere, most likely to compile it yourself. Make sure your user has ipaNTHash attribute :) You may want to debug authentication on samba server, I usually do this: `tail -f /var/log/samba/log* | grep username Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 17:40 GMT+02:00 Matt . yamakasi@gmail.com: Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 14:51 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was already there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping When adding a user. I also see class as fielname under my Last name, this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me ipaCustomFields as attribute type in a drop down list. Once we get this cracked, we really must write a how
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was already there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping When adding a user. I also see class as fielname under my Last name, this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me ipaCustomFields as attribute type in a drop down list. Once we get this cracked, we really must write a how-to on the FreeIPA Wiki. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 07:31 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF i.e. changetype: modify, instead of changetype add ? I don't want to play around with my prod directory - I will setup an EL 7.1 VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around more destructively. Chris From:Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Youenn PIOLET piole...@gmail.com, freeipa-users@redhat.com freeipa-users@redhat.com Date:05.08.2015 01:01 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF Does say it exists, my ldap explorer doesn't show it, and when I add it manually as an attribute it still fails when I add a user on this sambagrouptype as it's needed by the other attributes So that is my issue I think so far. Any clue about that ? No problem you don't know something or are no guru we are all learning! :) Cheers, Matt 2015-08-04 21:22 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference). It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 18:56 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 14:51 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was already there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping When adding a user. I also see class as fielname under my Last name, this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me ipaCustomFields as attribute type in a drop down list. Once we get this cracked, we really must write a how-to on the FreeIPA Wiki. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 07:31 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-boun...@redhat.com Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF i.e. changetype: modify, instead of changetype add ? I don't want to play around with my prod directory - I will setup an EL 7.1 VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around more destructively. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Youenn PIOLET piole...@gmail.com, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 01:01 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF Does say it exists, my ldap explorer doesn't show it, and when I add it manually as an attribute it still fails when I add a user on this sambagrouptype as it's needed by the other attributes So that is my issue I think so far. Any clue about that ? No problem you don't know something or are no guru we are all learning! :) Cheers, Matt 2015-08-04 21:22 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Youenn Good news that you have got an integration working Now you have got it going, and the solution is fresh in your mind, how about adding a How-to page on this solution to the FreeIPA wiki? Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 14:51 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi guys, Thank you so much your previous answers. I realised my SID were stored in ipaNTsecurityidentifier, thanks to ipa-adtrust-install --add-sids I found an other way to configure smb here: http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa It works perfectly. I'm using module ipasam.so I have manually scp to the samba server, Samba is set to use kerberos + ldapsam via this ipasam module. Following the instructions, I created a user role allowing service principal to read ipaNTHash value from the LDAP. ipaNTHash are generated each time a user changes his password. Authentication works perfectly on Windows 7, 8 and 10. For more details, the previously linked thread is quite clear. Cheers -- Youenn Piolet piole...@gmail.com 2015-08-05 11:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris. Yes, Apache Studio did that but I was not sure why it complained it was already there. I'm still getting: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping When adding a user. I also see class as fielname under my Last name, this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me ipaCustomFields as attribute type in a drop down list. Once we get this cracked, we really must write a how-to on the FreeIPA Wiki. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 07:31 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF i.e. changetype: modify, instead of changetype add ? I don't want to play around with my prod directory - I will setup an EL 7.1 VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around more destructively. Chris From:Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Youenn PIOLET piole...@gmail.com, freeipa-users@redhat.com freeipa-users@redhat.com Date:05.08.2015 01:01 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF Does say it exists, my ldap explorer doesn't show it, and when I add it manually as an attribute it still fails when I add a user on this sambagrouptype as it's needed by the other attributes So that is my issue I think so far
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt From our smb.conf file: [global] security = user passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com ldap suffix = dc=my,dc=silly,dc=example,dc=com ldap admin dn = cn=Directory Manager So yes, we use Directory Manager, it works for us. I have not tried with a less powerful user, but it is conceivable that a lesser user may not see all the required attributes, resulting in no such user errors. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 13:32 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-04 13:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-03 17:17 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt It sounds like you now have prepared FreeIPA for Samba I assume you have already configured Samba to authenticate via FreeIPA (changes to the [global] section of your smb.conf file, secrets.tdb etc. Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, with SambaGroupType = 4) For example: In FreeIPA under cn=accounts, cn=users we have a group called smb-junit. This group has (among others) the attribute SambaGroupType = 4 We can then use the name of the group in the smb.conf file [junit] comment = JUnit Share path = /samba/junit browseable = no valid users = @smb-junit write list = @smb-junit force group = smb-junit create mask = 0770 Ciao Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Petr Vobornik pvobo...@redhat.com Date: 03.08.2015 16:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has a possible answer from Peter. (I have not tested it yet myself). https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 03.08.2015 12:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com In my previous reply, I ment no group.js at all . 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF SASL/GSSAPI authentication started SASL username: l...@my.silly.example.com SASL SSF: 56 SASL data security layer installed. adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com ldap_add: Already exists (68) Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 02.08.2015 13:33 Subject:Re: [Freeipa
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] - [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt From our smb.conf file: [global] security = user passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com ldap suffix = dc=my,dc=silly,dc=example,dc=com ldap admin dn = cn=Directory Manager So yes, we use Directory Manager, it works for us. I have not tried with a less powerful user, but it is conceivable that a lesser user may not see all the required attributes, resulting in no such user errors. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 13:32 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-04 13:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-03 17:17 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt It sounds like you now have prepared FreeIPA for Samba I assume you have already configured Samba to authenticate via FreeIPA (changes to the [global] section of your smb.conf file, secrets.tdb etc. Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, with SambaGroupType = 4) For example: In FreeIPA under cn=accounts, cn=users we have a group called smb-junit. This group has (among others) the attribute SambaGroupType = 4 We can then use the name of the group in the smb.conf file [junit] comment = JUnit Share path = /samba/junit browseable = no valid users = @smb-junit write list = @smb-junit force group = smb-junit create mask = 0770 Ciao Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Petr Vobornik pvobo...@redhat.com Date: 03.08.2015 16:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has a possible answer from Peter. (I have not tested it yet myself). https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 03.08.2015 12:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com In my previous reply, I ment no group.js at all . 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt I assume [username] is a real username, identical to that in the FreeIPA cn=accounts, cn=users tree? (i.e. you anonymised the log extract). You user should be a member of the appropriate samba groups that you setup in FreeIPA. You should check that the user attribute SambaPwdLastSet is set to a positive value (e.g. 1). If not you get an error in the Samba logs - I would need to play around again with a test user to find out the exact error. I don't understand what you mean about syncing the users local, but we did not need to do anything like that. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 15:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] - [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt From our smb.conf file: [global] security = user passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com ldap suffix = dc=my,dc=silly,dc=example,dc=com ldap admin dn = cn=Directory Manager So yes, we use Directory Manager, it works for us. I have not tried with a less powerful user, but it is conceivable that a lesser user may not see all the required attributes, resulting in no such user errors. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 13:32 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-04 13:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-03 17:17 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt It sounds like you now have prepared FreeIPA for Samba I assume you have already configured Samba to authenticate via FreeIPA (changes to the [global] section of your smb.conf file, secrets.tdb etc. Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, with SambaGroupType = 4) For example: In FreeIPA under cn=accounts, cn=users we have a group called smb-junit. This group has (among others) the attribute SambaGroupType = 4 We can then use the name of the group in the smb.conf file [junit] comment = JUnit Share path = /samba/junit browseable = no valid users = @smb-junit write list = @smb-junit force group = smb-junit create mask = 0770 Ciao Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Petr Vobornik pvobo...@redhat.com Date: 03.08.2015 16:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has a possible answer from Peter. (I have not tested it yet myself). https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html Chris
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF i.e. changetype: modify, instead of changetype add ? I don't want to play around with my prod directory - I will setup an EL 7.1 VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around more destructively. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Youenn PIOLET piole...@gmail.com, freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 01:01 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF Does say it exists, my ldap explorer doesn't show it, and when I add it manually as an attribute it still fails when I add a user on this sambagrouptype as it's needed by the other attributes So that is my issue I think so far. Any clue about that ? No problem you don't know something or are no guru we are all learning! :) Cheers, Matt 2015-08-04 21:22 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference). It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 18:56 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : ((uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the local option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn=ipaConfig,cn=etc, the operation it performs is a modify, as shown below: #!RESULT OK #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy #!DATE 2015-08-05T05:45:04.608 dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true After that I then have a visible attribute ipaCustomFields as expected. When adding the attribute, the wizard offered me ipaCustomFields as attribute type in a drop down list. Once we get this cracked, we really must write a how-to on the FreeIPA Wiki. Chris From: Christopher Lamb/Switzerland/IBM@IBMCH To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 05.08.2015 07:31 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi Matt I also got the same result at that step, but can see nothing in Apache Directory Studio. As I am using existing Samba / FreeIPA groups migrated across, they probably were migrated with all the required attributes. Looking more closely at that LDIF: I wonder should it not be: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: modify add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF i.e. changetype: modify, instead of changetype add ? I don't want to play around with my prod directory - I will setup an EL 7.1 VM and install FreeIPA 4.x and Samba 4.x That will allow me to play around more destructively. Chris From:Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Youenn PIOLET piole...@gmail.com, freeipa-users@redhat.com freeipa-users@redhat.com Date:05.08.2015 01:01 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF Does say it exists, my ldap explorer doesn't show it, and when I add it manually as an attribute it still fails when I add a user on this sambagrouptype as it's needed by the other attributes So that is my issue I think so far. Any clue about that ? No problem you don't know something or are no guru we are all learning! :) Cheers, Matt 2015-08-04 21:22 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference). It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 18:56 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : ((uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris, I'm at the right path, but my issue is that: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF Does say it exists, my ldap explorer doesn't show it, and when I add it manually as an attribute it still fails when I add a user on this sambagrouptype as it's needed by the other attributes So that is my issue I think so far. Any clue about that ? No problem you don't know something or are no guru we are all learning! :) Cheers, Matt 2015-08-04 21:22 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference). It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 18:56 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : ((uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the local option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7? Thanks a lot for your previous and future answers -- Youenn Piolet piole...@gmail.com 2015-08-04 17:55 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com : Hi Matt I assume [username] is a real username, identical to that in the FreeIPA cn=accounts, cn=users tree? (i.e. you anonymised the log extract). You user should be a member of the appropriate samba groups that you setup in FreeIPA. You should check that the user attribute SambaPwdLastSet is set to a positive value (e.g. 1). If not you get an error in the Samba logs - I would need to play around again with a test user
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : ((uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the local option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7? Thanks a lot for your previous and future answers -- Youenn Piolet piole...@gmail.com 2015-08-04 17:55 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I assume [username] is a real username, identical to that in the FreeIPA cn=accounts, cn=users tree? (i.e. you anonymised the log extract). You user should be a member of the appropriate samba groups that you setup in FreeIPA. You should check that the user attribute SambaPwdLastSet is set to a positive value (e.g. 1). If not you get an error in the Samba logs - I would need to play around again with a test user to find out the exact error. I don't understand what you mean about syncing the users local, but we did not need to do anything like that. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 15:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] - [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com : Hi Matt From our smb.conf file: [global] security = user passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com ldap suffix = dc=my,dc=silly,dc=example,dc=com ldap admin dn = cn=Directory Manager So yes, we use Directory Manager, it works for us. I have not tried with a less powerful user, but it is conceivable that a lesser user may not see all the required attributes, resulting in no such user errors. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 13:32 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt -- Manage your subscription for the Freeipa-users
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt, Youeen Just to set the background properly, I did not invent this process. I know only a little about FreeIPA, and almost nothing about Samba, but I guess I was lucky enough to get the integration working on a Sunday afternoon. (I did have an older FreeIPA 3.x / Samba 3.x installation as a reference). It sounds like we need to step back, and look at the test user and group in the FreeIPA LDAP tree. I find using an LDAP browser makes this much easier. My FreeIPA / Samba Users have the following Samba extensions in FreeIPA (cn=accounts, cn=users): * objectClass: sambasamaccount * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet My FreeIPA / Samba Groups have the following Samba extensions in FreeIPA (cn=accounts, cn=groups): * objectClass: sambaGroupMapping * Attributes: sambaGroupType, sambaSID The Users must belong to one or more of the samba groups that you have setup. If you don't have something similar to the above (which sounds like it is the case), then something went wrong applying the extensions. It would be worth testing comparing a new user / group created post adding the extensions to a previous existing user. i.e. are the extensions missing on existing users / groups? are the extensions missing on new users / groups? Cheers Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 18:56 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi there, I have difficulties to follow you at this point :) Here is what I've done and what I've understood: ## SMB Side - Testparm OK - I've got the same NT_STATUS_NO_SUCH_USER when I try to connect. - pdbedit -Lv output is all successfull but I can see there is a filter : ((uid=*)(objectclass=sambaSamAccount). In LDAP, the users don't have sambaSamAccount. ## LDAP / FreeIPA side - Since SMB server uses LDAP, I did ipa-adtrust-install on my FreeIPA server to get samba LDAP extensions. - I can see samba classes exist in LDAP but are not used on my group objects nor my user objects - I have add sambaSamAccount in FreeIPA default user classes, and sambaGroupMapping to default group classes. In that state I can't create user nor groups anymore, as new samba attributes are needed for instantiation. - I have add in etc ipaCustomFields: 'Samba Group Type,sambagrouptype,true' but I don't get what it does. - I tried to add the samba.js plugin. It works, and adds the local option when creating a group in FreeIPA, supposed to set sambagrouptype to 4 or 2 (domain). It doesn't work and tells that sambagrouptype attribute doesn't exist (but it should now I put sambaGroupType class by default...) ## Questions 0) Can I ask samba not to search sambaSamAccount and use unix / posix instead? I guess no. 1) How to generate the user/group SIDs ? They are requested to add sambaSamAccount classes. This article doesn't seem relevant since we don't use domain controller http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html and netgetlocalsid returns an error. 2) How to fix samba.js plugin? 3) I guess an equivalent of samba.js is needed for user creation, where can I find it? 4) Is your setup working with Windows 8 / Windows 10 and not only Windows 7? Thanks a lot for your previous and future answers -- Youenn Piolet piole...@gmail.com 2015-08-04 17:55 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com : Hi Matt I assume [username] is a real username, identical to that in the FreeIPA cn=accounts, cn=users tree? (i.e. you anonymised the log extract). You user should be a member of the appropriate samba groups that you setup in FreeIPA. You should check that the user attribute SambaPwdLastSet is set to a positive value (e.g. 1). If not you get an error in the Samba logs - I would need to play around again with a test user to find out the exact error. I don't understand what you mean about syncing the users local, but we did not need to do anything like that. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 15:33 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I assume [username] is a real username, identical to that in the FreeIPA cn=accounts, cn=users tree? (i.e. you anonymised the log extract). You user should be a member of the appropriate samba groups that you setup in FreeIPA. You should check that the user attribute SambaPwdLastSet is set to a positive value (e.g. 1). If not you get an error in the Samba logs - I would need to play around again with a test user to find out the exact error. I don't understand what you mean about syncing the users local, but we did not need to do anything like that. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 15:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, A puppet run added another passdb backend, that was causing my issue. What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] - [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt From our smb.conf file: [global] security = user passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com ldap suffix = dc=my,dc=silly,dc=example,dc=com ldap admin dn = cn=Directory Manager So yes, we use Directory Manager, it works for us. I have not tried with a less powerful user, but it is conceivable that a lesser user may not see all the required attributes, resulting in no such user errors. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 04.08.2015 13:32 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-04 13:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for the heads up, indeed local is 4 I see now when I add a group from the GUI, great thanks! But do you use Directory Manager as ldap admin user or some other admin account ? I'm not sure id DM is needed and it should get that deep into IPA. Also when starting samba it cannot find such user as that sounds quite known as it has no UID. From your config I see you use DM, this should work ? Thanks! Matt 2015-08-03 17:17 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt It sounds like you now have prepared FreeIPA for Samba I assume you have already configured Samba to authenticate via FreeIPA (changes to the [global] section of your smb.conf file, secrets.tdb etc. Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, with SambaGroupType = 4) For example: In FreeIPA under cn=accounts, cn=users we have a group called smb-junit. This group has (among others) the attribute SambaGroupType = 4 We can then use the name of the group in the smb.conf file [junit] comment = JUnit Share path = /samba/junit browseable = no valid users = @smb-junit write list = @smb-junit force group = smb-junit create mask = 0770 Ciao Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Petr Vobornik pvobo...@redhat.com Date: 03.08.2015 16:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: HI Matt It looks like I skipped that step
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
In my previous reply, I ment no group.js at all . 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF SASL/GSSAPI authentication started SASL username: l...@my.silly.example.com SASL SSF: 56 SASL data security layer installed. adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com ldap_add: Already exists (68) Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt When we originally integrated FreeIPA and Samba we were on 3.x for both products. We are now on 4.x for both. The FreeIPA server was a new setup, with users and hosts migrated across (not replicated). We then ran the scripts in the techslave article. I will look back and see If I can find any notes from the time we did the integration. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF SASL/GSSAPI authentication started SASL username: l...@my.silly.example.com SASL SSF: 56 SASL data security layer installed. adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com ldap_add: Already exists (68) Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF SASL/GSSAPI authentication started SASL username: l...@my.silly.example.com SASL SSF: 56 SASL data security layer installed. adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com ldap_add: Already exists (68) Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has a possible answer from Peter. (I have not tested it yet myself). https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 03.08.2015 12:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com In my previous reply, I ment no group.js at all . 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF SASL/GSSAPI authentication started SASL username: l...@my.silly.example.com SASL SSF: 56 SASL data security layer installed. adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com ldap_add: Already exists (68) Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, OK, I have a Samba Group Type now in my groups details list and also in the groups settings tab. I'm not 100% how this is managed. I have Grouptype 4, in the groups overview it's still empty. But how to manage this between samba and ipa ? What should be the reference between the group(names) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has a possible answer from Peter. (I have not tested it yet myself). https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 03.08.2015 12:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com In my previous reply, I ment no group.js at all . 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt Thankfully I saved the output from those ldapmodify commands (against FreeIPA 4.1) and was able to find it again! In our case sambagrouptype also seems to have already been present, so that should not hurt. [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF SASL/GSSAPI authentication started SASL username: l...@my.silly.example.com SASL SSF: 56 SASL data security layer installed. adding new entry cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com ldap_add: Already exists (68) Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 02.08.2015 13:33 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: Samba Group Type,sambagrouptype,true EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html That should point to this techslaves article with the detailed instructions that we followed: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ The main reason we went that way is that we have no AD domain, which seems to be required by other integration paths. Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). So things may be different on Ubuntu. As always, when changing the LDAP schema, an LDAP browser like Apache Directory Studio is very useful to visualise what is going on and to verify if your changes are present! (and is sometime easier to manually change attributes rather than by LDAPMODIFY script) There is another ongoing thread in this mailing list about problems with the attribute SambaPwdLastSet. Chris From: Matt . yamakasi@gmail.com To: Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:58 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Lucas, Thank you for this reply. In this case it simply should work as it shoul by creating the symlinks, Or are there other issues we might get ? Thanks, Matt 2015-07-31 17:21 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (31/07/15 16:03), Matt . wrote: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA As you can see this howto is mainly written for rpm based distributions. The most important difference between sssd 1.12.5 for ubuntu[1] and sssd = 1.12 in fedora[2] is packaging of sssd-libwbclient. sssd-libwbclient and libwbclient(from samba) use alternatives to switch between these libraries. Ubuntu 14.04 root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/libwbclient* lrwxrwxrwx. 1 root root19 Jul 1 15:38 /usr/lib/x86_64-linux-gnu/libwbclient.so.0 - libwbclient.so.0.11 -rw-r--r--. 1 root root 43216 Jul 1 15:38 /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11 root@48c613c6a3fc:/# ls -l /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient* lrwxrwxrwx. 1 root root21 Jun 15 18:14 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0 - libwbclient.so.0.12.0 -rw-r--r--. 1 root root 30800 Jun 15 18:14 /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 Fedora 21 bash-4.3# alternatives --display libwbclient.so.0.11-64 libwbclient.so.0.11-64 - status is auto. link currently points to /usr/lib64/samba/wbclient/libwbclient.so.0.11 /usr/lib64/samba/wbclient/libwbclient.so.0.11 - priority 10 /usr/lib64/sssd/modules/libwbclient.so.0.12.0 - priority 5 Current `best' version is /usr/lib64/samba/wbclient/libwbclient.so.0.11. So if you want to use this howto on ubuntu then you need to create symbolic links on your own. Feel free to update Howto page with additional information if you manage solve it on ubuntu. LS [1] https://launchpad.net/~sssd/+archive/ubuntu/updates [2] https://admin.fedoraproject.org/updates/sssd -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi We use the Samba extensions for FreeIPA. Windows 7 users connect to the shares using their FreeIPA credentials. The only password mgmt problem that we have is, that the users get no notice of password expiry until suddenly their Samba user (really the FreeIPA user) password is not accepted when trying to connect to a share. Once the password is reset (via CLI or FreeIPA WebUi), they can access the shares again. Chris From: Youenn PIOLET piole...@gmail.com To: Matt . yamakasi@gmail.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 31.07.2015 16:21 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by:freeipa-users-boun...@redhat.com Hi, I asked the very same question a few weeks ago, but no answer yet. http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 The only method I see is to install samba extensions in FreeIPA's LDAP directory, and bind samba with LDAP. There may be a lot of difficulties with password management doing this, that's why I'd like to get a better solution :) Anyone? -- Youenn Piolet piole...@gmail.com 2015-07-31 16:03 GMT+02:00 Matt . yamakasi@gmail.com: Hi Guys, I'm really struggeling getting a NON AD Samba server authing against a FreeIPA server: Ubuntu 14.04 - Samba (no AD) / SSD 1.12.5 CentOS 7.1 - FreeIPA 4.1 Now this seems to be the way: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA But as this, which I also found on the mailinglists: NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
On (31/07/15 18:15), Matt . wrote: Hi Lucas, Thank you for this reply. In this case it simply should work as it shoul by creating the symlinks, Or are there other issues we might get ? 1st problem: current samba version of libwbclient need to be moved ot other place. 2nd problem: manualy created symbolic links will be broken with next update of sssd or samba (e.g. security update) 3rd problem: such changes in might cause troubles for other application they need to be carefully tested (which are not on ubuntu) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
