[Freeipa-users] Samba 4 with IPA
Alexander Bokovoy
abokovoy at redhat.com
Tue Apr 30 18:37:32 UTC 2013
On Tue, 30 Apr 2013, simon.williams at thehelpfulcat.com wrote:
>That is actually pretty good news. The real requirement is network
>storage for the Windows workstations secured by FreeIPA authentication.
>If I read what you’ve said correctly this is possible now. I can live
>with the magical incantations to enrol any new Windows machines for
>now. There are a few things that would work better if Windows thought
>it was logging on to a domain, but we have lived without those features
>for the last year. Once a Windows machine has been set up correctly,
>which can be a bit hit and miss, the authentication works flawlessly .
To be clear, we have not tested this combination so you'll be in uncharted
waters.
Since TGT for these users would still be issued by FreeIPA KDC, it would
include MS-PAC with SIDs of these users in FreeIPA domain -- once you
have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
be able to recognize them as FreeIPA users regardless where they come
from -- IPA or Windows machines, as long as Kerberos is in use.
Any reports of how such setup would actually behave are welcomed.
>It sounds as though I can set up the file server now and then extend it
>to do the AD DC bit when it is ready.
>I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
>anywhere is there?
The only requirements for simplistic setup is to:
1. run file server on IPA master (you can make a dedicated replica for that)
2. run ipa-adtrust-install on that master to setup Samba configuration
and enable KDC + directory server to handle SIDs
3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
uses registry backend to store smb.conf configuration.
See
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares
for sample how to work with 'net conf setparm'.
For 'valid users' I guess you can use simply user names since these
would be our local ones.
Again, this is completely untested right now.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list