[Freeipa-devel] freeipa and samba

[Simo Sorce]

On Sun, 2008-02-10 at 20:46 +0100, Thomas Sailer wrote:
> On Wed, 2008-02-06 at 15:25 -0500, Simo Sorce wrote:
> 
> > Yes, in IPA v1.0 the concept of machine accounts still do not exist.
> > For samba anyway, machine accounts are just user accounts and must be
> > available via nss calls, so at all effects what you need for now is just
> > regular user accounts named after the machine name.
> 
> Well, machines normally live under ou=Computers, not ou=People. I think
> I'll stay with smbldap-tools, until IPA has the machine account concept.

In IPA we already have the cn=Computers container, and for users we have
CN=Users. It's just that we do not have any tool to populate the
cn=Computers container yet.

> > No they are more advanced tools to tweak an installation, you shouldn't
> > need to use them for day to day operations though.
> 
> True wrt. the configuration dialogs, but the user/group editing GUI does
> not seem to be usable for IPA, as it isn't able to add sambaSam and krb
> stuff.

Yes, to manage users you should use the IPA WebUI or CLI tools.

> I have some problems with accessing the IPA gui. It works with curl, but
> I couldn't get neither firefox on F8, nor IE and firefox on XP to access
> the gui. They seem to do SPNEGO, but the ticket does not seem to be
> delegatable. What exact browser / krb5 library versions are you using on
> the client?

It should work fine with Firefox on any Fedora/RedHat box (and probably,
but not tested just any other recent Linux distro).

When you connect to the server, if Firefox is not correctly configured,
you should be presented with a page that will configure Firefox for you
if you allow it to mess with your browser configuration (security
warning dialogs and all).

To make it work you need anyway to kinit admin at REALM on the client
before pointing Firefox at the Web UI or using the CLI tools.

Can you provide the error you get with Firefox ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York