[Freeipa-users] User auth for Samba 3 file server against IPA 3.0.0
Dmitri Pal
dpal at redhat.com
Thu Aug 14 18:25:19 UTC 2014
On 08/11/2014 09:29 PM, dbischof at hrz.uni-kassel.de wrote:
> Hi,
>
> On Sun, 10 Aug 2014, Dmitri Pal wrote:
>> On 07/21/2014 10:15 AM, dbischof at hrz.uni-kassel.de wrote:
>>> On Wed, 16 Jul 2014, Dmitri Pal wrote:
>>>> On 07/16/2014 07:16 AM, dbischof at hrz.uni-kassel.de wrote:
>>>>> I have IPA running on a CentOS 6 server. This server also acts as
>>>>> NFS- and Samba server. My Linux clients (openSUSE 13.1) work fine
>>>>> (NFS, automount, user auth for ssh and display manager).
>>>>>
>>>>> Since I also have some Windows users, I want them to be able to
>>>>> mount their homes via Samba using their IPA password. Just that,
>>>>> no AD or other fancy stuff.
>>>>
>>>> Support of Windows users is still where it was. Code might have
>>>> changed so the solution might not apply any more cleanly. Our
>>>> general vision is that windows users belong to Windows and have to
>>>> be either in AD or in Samba4. As soon as Samba 4 supports cross
>>>> forest trusts we will make it supported. Then we will be able to
>>>> support cases like you describe.
>>>>
>>>> Also right now Samba FS as a member of IPA domain does not work
>>>> well. It should work better with SSSD 1.12.1 and IPA 4.1 when we
>>>> make sure that all parts are in place but that would still have
>>>> some problems when one has to come from windows client as there is
>>>> no SSSD equivalent for windows clients.
>>>>
>>>> Bottom line: no, there is no better info, sorry.
>>>
>>> Bummer. Just to make sure: I don't want my Windows users to be able
>>> to log on to their systems using IPA auth, they all have local
>>> accounts. I just want them to be able to manually mount their home
>>> shares.
>>
>> Sorry for a delayed response, I am slowly catching up on these
>> threads. Mounting a share requires authentication with the account
>> that Samba FS server knows about. Samba FS server until now could
>> have been joined to AD only. Samba 4 DC can be used as an alternative
>> of AD. But in both cases Samba FS yet can't be a member of the IPA
>> domain. We are working on it. So once it is done you might be able to
>> manually mount shares using the accounts managed by IPA. It is a
>> question of couple months really so may be you can wait for this
>> functionality to emerge and try it?
>
> will that feature (Samba shares w/ IPA accounts) be available for IPA
> 3.0 as in RHEL/CentOS6 or for IPA4 only? Waiting another couple of
> months would be perfectly ok for me, if I could then just update the
> IPA package and do some additional configuration to make it work. I'd
> happily take part in testing the feature in advance, too.
>
>
> Mit freundlichen Gruessen/With best regards,
>
> --Daniel.
>
You would need SSSD 1.12.1 for this to work.
CC to https://fedorahosted.org/sssd/ticket/1588 and you will get
notifications on the status changes of the ticket.
Once you see it closed you can grab a build and try it out.
See help on the SSSD users list or on IRC.
Thanks for offering testing, really appreciated.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list