[Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0

Dmitri Pal dpal at redhat.com
Thu Aug 14 18:25:19 UTC 2014 

On 08/11/2014 09:29 PM, dbischof at hrz.uni-kassel.de wrote:
> Hi,
>
> On Sun, 10 Aug 2014, Dmitri Pal wrote:
>> On 07/21/2014 10:15 AM, dbischof at hrz.uni-kassel.de wrote:
>>> On Wed, 16 Jul 2014, Dmitri Pal wrote:
>>>> On 07/16/2014 07:16 AM, dbischof at hrz.uni-kassel.de wrote:
>>>>> I have IPA running on a CentOS 6 server. This server also acts as 
>>>>> NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine 
>>>>> (NFS, automount, user auth for ssh and display manager).
>>>>>
>>>>> Since I also have some Windows users, I want them to be able to 
>>>>> mount their homes via Samba using their IPA password. Just that, 
>>>>> no AD or other fancy stuff.
>>>>
>>>> Support of Windows users is still where it was. Code might have 
>>>> changed so the solution might not apply any more cleanly. Our 
>>>> general vision is that windows users belong to Windows and have to 
>>>> be either in AD or in Samba4. As soon as Samba 4 supports cross 
>>>> forest trusts we will make it supported. Then we will be able to 
>>>> support cases like you describe.
>>>>
>>>> Also right now Samba FS as a member of IPA domain does not work 
>>>> well. It should work better with SSSD 1.12.1 and IPA 4.1 when we 
>>>> make sure that all parts are in place but that would still have 
>>>> some problems when one has to come from windows client as there is 
>>>> no SSSD equivalent for windows clients.
>>>>
>>>> Bottom line: no, there is no better info, sorry.
>>>
>>> Bummer. Just to make sure: I don't want my Windows users to be able 
>>> to log on to their systems using IPA auth, they all have local 
>>> accounts. I just want them to be able to manually mount their home 
>>> shares.
>>
>> Sorry for a delayed response, I am slowly catching up on these 
>> threads. Mounting a share requires authentication with the account 
>> that Samba FS server knows about. Samba FS server until now could 
>> have been joined to AD only. Samba 4 DC can be used as an alternative 
>> of AD. But in both cases Samba FS yet can't be a member of the IPA 
>> domain. We are working on it. So once it is done you might be able to 
>> manually mount shares using the accounts managed by IPA. It is a 
>> question of couple months really so may be you can wait for this 
>> functionality to emerge and try it?
>
> will that feature (Samba shares w/ IPA accounts) be available for IPA 
> 3.0 as in RHEL/CentOS6 or for IPA4 only? Waiting another couple of 
> months would be perfectly ok for me, if I could then just update the 
> IPA package and do some additional configuration to make it work. I'd 
> happily take part in testing the feature in advance, too.
>
>
> Mit freundlichen Gruessen/With best regards,
>
> --Daniel.
>
You would need SSSD 1.12.1 for this to work.
CC to https://fedorahosted.org/sssd/ticket/1588 and you will get 
notifications on the status changes of the ticket.
Once you see it closed you can grab a build and try it out.
See help on the SSSD users list or on IRC.

Thanks for offering testing, really appreciated.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list