Re: [Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0
On 08/11/2014 09:29 PM, dbisc...@hrz.uni-kassel.de wrote: Hi, On Sun, 10 Aug 2014, Dmitri Pal wrote: On 07/21/2014 10:15 AM, dbisc...@hrz.uni-kassel.de wrote: On Wed, 16 Jul 2014, Dmitri Pal wrote: On 07/16/2014 07:16 AM, dbisc...@hrz.uni-kassel.de wrote: I have IPA running on a CentOS 6 server. This server also acts as NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine (NFS, automount, user auth for ssh and display manager). Since I also have some Windows users, I want them to be able to mount their homes via Samba using their IPA password. Just that, no AD or other fancy stuff. Support of Windows users is still where it was. Code might have changed so the solution might not apply any more cleanly. Our general vision is that windows users belong to Windows and have to be either in AD or in Samba4. As soon as Samba 4 supports cross forest trusts we will make it supported. Then we will be able to support cases like you describe. Also right now Samba FS as a member of IPA domain does not work well. It should work better with SSSD 1.12.1 and IPA 4.1 when we make sure that all parts are in place but that would still have some problems when one has to come from windows client as there is no SSSD equivalent for windows clients. Bottom line: no, there is no better info, sorry. Bummer. Just to make sure: I don't want my Windows users to be able to log on to their systems using IPA auth, they all have local accounts. I just want them to be able to manually mount their home shares. Sorry for a delayed response, I am slowly catching up on these threads. Mounting a share requires authentication with the account that Samba FS server knows about. Samba FS server until now could have been joined to AD only. Samba 4 DC can be used as an alternative of AD. But in both cases Samba FS yet can't be a member of the IPA domain. We are working on it. So once it is done you might be able to manually mount shares using the accounts managed by IPA. It is a question of couple months really so may be you can wait for this functionality to emerge and try it? will that feature (Samba shares w/ IPA accounts) be available for IPA 3.0 as in RHEL/CentOS6 or for IPA4 only? Waiting another couple of months would be perfectly ok for me, if I could then just update the IPA package and do some additional configuration to make it work. I'd happily take part in testing the feature in advance, too. Mit freundlichen Gruessen/With best regards, --Daniel. You would need SSSD 1.12.1 for this to work. CC to https://fedorahosted.org/sssd/ticket/1588 and you will get notifications on the status changes of the ticket. Once you see it closed you can grab a build and try it out. See help on the SSSD users list or on IRC. Thanks for offering testing, really appreciated. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0
Hi, On Sun, 10 Aug 2014, Dmitri Pal wrote: On 07/21/2014 10:15 AM, dbisc...@hrz.uni-kassel.de wrote: On Wed, 16 Jul 2014, Dmitri Pal wrote: On 07/16/2014 07:16 AM, dbisc...@hrz.uni-kassel.de wrote: I have IPA running on a CentOS 6 server. This server also acts as NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine (NFS, automount, user auth for ssh and display manager). Since I also have some Windows users, I want them to be able to mount their homes via Samba using their IPA password. Just that, no AD or other fancy stuff. Support of Windows users is still where it was. Code might have changed so the solution might not apply any more cleanly. Our general vision is that windows users belong to Windows and have to be either in AD or in Samba4. As soon as Samba 4 supports cross forest trusts we will make it supported. Then we will be able to support cases like you describe. Also right now Samba FS as a member of IPA domain does not work well. It should work better with SSSD 1.12.1 and IPA 4.1 when we make sure that all parts are in place but that would still have some problems when one has to come from windows client as there is no SSSD equivalent for windows clients. Bottom line: no, there is no better info, sorry. Bummer. Just to make sure: I don't want my Windows users to be able to log on to their systems using IPA auth, they all have local accounts. I just want them to be able to manually mount their home shares. Sorry for a delayed response, I am slowly catching up on these threads. Mounting a share requires authentication with the account that Samba FS server knows about. Samba FS server until now could have been joined to AD only. Samba 4 DC can be used as an alternative of AD. But in both cases Samba FS yet can't be a member of the IPA domain. We are working on it. So once it is done you might be able to manually mount shares using the accounts managed by IPA. It is a question of couple months really so may be you can wait for this functionality to emerge and try it? will that feature (Samba shares w/ IPA accounts) be available for IPA 3.0 as in RHEL/CentOS6 or for IPA4 only? Waiting another couple of months would be perfectly ok for me, if I could then just update the IPA package and do some additional configuration to make it work. I'd happily take part in testing the feature in advance, too. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0
On 07/21/2014 10:15 AM, dbisc...@hrz.uni-kassel.de wrote: Dmitri, thanks for your answer. On Wed, 16 Jul 2014, Dmitri Pal wrote: On 07/16/2014 07:16 AM, dbisc...@hrz.uni-kassel.de wrote: I have IPA running on a CentOS 6 server. This server also acts as NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine (NFS, automount, user auth for ssh and display manager). Since I also have some Windows users, I want them to be able to mount their homes via Samba using their IPA password. Just that, no AD or other fancy stuff. Support of Windows users is still where it was. Code might have changed so the solution might not apply any more cleanly. Our general vision is that windows users belong to Windows and have to be either in AD or in Samba4. As soon as Samba 4 supports cross forest trusts we will make it supported. Then we will be able to support cases like you describe. Also right now Samba FS as a member of IPA domain does not work well. It should work better with SSSD 1.12.1 and IPA 4.1 when we make sure that all parts are in place but that would still have some problems when one has to come from windows client as there is no SSSD equivalent for windows clients. Bottom line: no, there is no better info, sorry. Bummer. Just to make sure: I don't want my Windows users to be able to log on to their systems using IPA auth, they all have local accounts. I just want them to be able to manually mount their home shares. Sorry for a delayed response, I am slowly catching up on these threads. Mounting a share requires authentication with the account that Samba FS server knows about. Samba FS server until now could have been joined to AD only. Samba 4 DC can be used as an alternative of AD. But in both cases Samba FS yet can't be a member of the IPA domain. We are working on it. So once it is done you might be able to manually mount shares using the accounts managed by IPA. It is a question of couple months really so may be you can wait for this functionality to emerge and try it? Thanks Dmitri Since I'm still more or less testing stuff, I wonder where to go from here. Before biting the bullet having separate Samba accounts: Would it help to switch to Samba 4? This post https://www.redhat.com/archives/freeipa-users/2013-April/msg00248.html suggests that it's possible. Somebody out there did it successfully? [1] http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Mit freundlichen Gruessen/With best regards, --Daniel. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0
Dmitri, thanks for your answer. On Wed, 16 Jul 2014, Dmitri Pal wrote: On 07/16/2014 07:16 AM, dbisc...@hrz.uni-kassel.de wrote: I have IPA running on a CentOS 6 server. This server also acts as NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine (NFS, automount, user auth for ssh and display manager). Since I also have some Windows users, I want them to be able to mount their homes via Samba using their IPA password. Just that, no AD or other fancy stuff. Support of Windows users is still where it was. Code might have changed so the solution might not apply any more cleanly. Our general vision is that windows users belong to Windows and have to be either in AD or in Samba4. As soon as Samba 4 supports cross forest trusts we will make it supported. Then we will be able to support cases like you describe. Also right now Samba FS as a member of IPA domain does not work well. It should work better with SSSD 1.12.1 and IPA 4.1 when we make sure that all parts are in place but that would still have some problems when one has to come from windows client as there is no SSSD equivalent for windows clients. Bottom line: no, there is no better info, sorry. Bummer. Just to make sure: I don't want my Windows users to be able to log on to their systems using IPA auth, they all have local accounts. I just want them to be able to manually mount their home shares. Since I'm still more or less testing stuff, I wonder where to go from here. Before biting the bullet having separate Samba accounts: Would it help to switch to Samba 4? This post https://www.redhat.com/archives/freeipa-users/2013-April/msg00248.html suggests that it's possible. Somebody out there did it successfully? [1] http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0
On 07/16/2014 07:16 AM, dbisc...@hrz.uni-kassel.de wrote: Hi, this has been discussed on this list and elsewhere [1], but I'm still a little puzzled: I have IPA running on a CentOS 6 server. This server also acts as NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine (NFS, automount, user auth for ssh and display manager). Since I also have some Windows users, I want them to be able to mount their homes via Samba using their IPA password. Just that, no AD or other fancy stuff. Support of Windows users is still where it was. Code might have changed so the solution might not apply any more cleanly. Our general vision is that windows users belong to Windows and have to be either in AD or in Samba4. As soon as Samba 4 supports cross forest trusts we will make it supported. Then we will be able to support cases like you describe. Also right now Samba FS as a member of IPA domain does not work well. It should work better with SSSD 1.12.1 and IPA 4.1 when we make sure that all parts are in place but that would still have some problems when one has to come from windows client as there is no SSSD equivalent for windows clients. Bottom line: no, there is no better info, sorry. I read the instructions at [1], which appear to suit my case but at least the group.js UI patch is outdated. Is there a more recent howto to follow? Is patching the source at all still necessary? Will doing so break the opportunity to install a replica (a step that I have planned but not yet accomplished)? Thanks for your help. [1] http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ Mit freundlichen Gruessen/With best regards, --Daniel. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project