Re: [Freeipa-users] ipa samba win7

2012-07-11 Thread Simo Sorce
On Tue, 2012-07-10 at 09:59 -0700, george he wrote:
 Hi Simo,
 Could you advise how to add
 
 1. the samba samAccount objectclass to a user, and
 2. the sambaGroups class to a group? 
 
 I guess I would need to use ldap commands, which I don't know enough.

Yes we do not have pre-canned scripts for samba integration yet.

 By the way, do I need to add both of the above, or if everybody is
 allowed to use the samba share, (and they are all in ipausers group),
 I would only need to add the sambaGroups class to ipausers group?

Up to you which groups you want to 'samba-enable', however the groups
needs to be 'posix' groups, and we recently changed ipausers to be a
non-posix group. Of course existing installations will not be affected
but if you are planning new ones keep in mind ipausers cannot generally
be used as a samba group unless you turn it into a posix groups first.
however also keep in mind we discourage using ipausers as a posix group
for performance reasons in domain with many users and recommend instead
to create smaller targeted groups.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] ipa samba win7

2012-07-10 Thread george he
Hi Ondrej,
The win7 is standing alone. I don't have an AD for it.

I used to have a samba domain controller that took care of user authentication 
for both linux and winxp machines.
Thanks,
George




 From: Ondrej Valousek ondr...@s3group.cz
To: freeipa-users@redhat.com 
Sent: Tuesday, July 10, 2012 9:12 AM
Subject: Re: [Freeipa-users] ipa samba win7
 

Do you have an AD for the win7 machine or is it just standalone machine?
Ondrej

On 07/10/2012 03:01 PM, george he wrote: 
Hello all,
I have an ipa client that is also a file server. How do I set up a samba 
server on the file server so that the files can be accessed by a win7 
machine, which is not a member of the ipa realm?
Should I set the file server as a domain controller? How do I deal with the 
passdb backend option? I guess I can set it to ldapsam, but the user 
information is kept on the ipa server, not the file server.
What else should I take care of before I start?
ps. my ipa version is 2.2, running on fc17.

Thanks,
George


___
Freeipa-users mailing list Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa samba win7

2012-07-10 Thread Ondrej Valousek

Well, if you want to integrate Windows machines, you'd better to stick with 
Samba (you can try Samba 4 if you prefer the IPA-like integration).
IPA itself looks and feels like AD but it is not compatible with AD - it is 
intended mainly for Linux machines.

Ondrej


On 07/10/2012 03:25 PM, george he wrote:

Hi Ondrej,
The win7 is standing alone. I don't have an AD for it.
I used to have a samba domain controller that took care of user authentication 
for both linux and winxp machines.
Thanks,
George



*From:* Ondrej Valousek ondr...@s3group.cz
*To:* freeipa-users@redhat.com
*Sent:* Tuesday, July 10, 2012 9:12 AM
*Subject:* Re: [Freeipa-users] ipa samba win7

Do you have an AD for the win7 machine or is it just standalone machine?
Ondrej

On 07/10/2012 03:01 PM, george he wrote:

Hello all,
I have an ipa client that is also a file server. How do I set up a samba 
server on the file server so that the files can be accessed
by a win7 machine, which is not a member of the ipa realm?
Should I set the file server as a domain controller? How do I deal with the 
passdb backend option? I guess I can set it to
ldapsam, but the user information is kept on the ipa server, not the file 
server.
What else should I take care of before I start?
ps. my ipa version is 2.2, running on fc17.
Thanks,
George


___
Freeipa-users mailing list
Freeipa-users@redhat.com  mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa samba win7

2012-07-10 Thread george he
Hi Simo,
Could you advise how to add

1. thesamba samAccount objectclass to a user, and
2. the sambaGroups class to a group? 

I guess I would need to use ldap commands, which I don't know enough.
By the way, do I need to add both of the above, or if everybody is allowed to 
use the samba share, (and they are all in ipausers group), I would only need to 
add the sambaGroups class to ipausers group?
Thanks,
George





 From: Simo Sorce s...@redhat.com
To: george he george_...@yahoo.com 
Cc: freeipa-users@redhat.com freeipa-users@redhat.com 
Sent: Tuesday, July 10, 2012 9:56 AM
Subject: Re: [Freeipa-users] ipa samba win7
 
On Tue, 2012-07-10 at 06:01 -0700, george he wrote:
 Hello all,
 I have an ipa client that is also a file server. How do I set up a
 samba server on the file server so that the files can be accessed by a
 win7 machine, which is not a member of the ipa realm?
 Should I set the file server as a domain controller? How do I deal
 with the passdb backend option? I guess I can set it to ldapsam,
 but the user information is kept on the ipa server, not the file
 server.
 What else should I take care of before I start?
 ps. my ipa version is 2.2, running on fc17.
 

You can install samba with the ldapsam passdb backend.
security = user will suffice, you do not need to make it a domain
controller.
Authentication will happen only using NTLM, so you will have to add the
samba samAccount objectclass to those users that you want to be able to
log in to samba and the sambaGroups class to those groups you want to
use with samba.
After you added the right objectclass to users you will need to change
the user's password once so that the ipa-pwd-exto plugin can generate NT
hashes for the user.
Once that is done samba should allow you to log in using the ipa
password.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users