[Freeipa-users] Getting Samba3 and FreeIPAv3 working together

Thu May 22 13:19:06 UTC 2014

On 22.5.2014 14:19, Sumit Bose wrote:
> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote:
>> Hello,
>>
>> I need some help with getting Samba and FreeIPA working together.
>>
>> I’ve been following the guide at
>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but
>> that seems quite out of date for IPAv3 and I need some help:
>
> yes, it is a bit outdated but still useful. Please note that we are
> currently working on making the integration of samba more easy. Recently
> I send a patch to the samba-technical mailing list with a library which
> would allow samba to use SSSD instead of winbind to look up users and
> SID-to-name mapping. Alexander is planning to go through the ipasam
> modules to see how to make integration with Samba file-servers more easy.
>
> But coming back to your questions.
>
>>
>> 1.       The guide deals with setting a Samba server SID for one Samba
>> server, but as we have multiple stand-alone Samba3 servers, which SID
>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I
>> have more than 1 plugin (seems unlikely)?
>
> 'net getlocalsid' returns the domain SID and since all you Samba
> file-servers are member of the IPA domain you can use a common SID here.
>
> With IPAv3 SID generation for users and groups is even more easy because
> you can get it for free by running ipa-adtrust-install (please use the
> option --add-sids) if you already have users and groups in your IPA
> server. This prepares the IPA server to be able to create trust
> relationships to Active Directory and one requirement here is that all
> users and groups have SID.
>
> 'ipa-adtrust-install' will also create a domain SID. 'ipa
> trustconfig-show' will show the domain SID together with the DNS domain
> name and the NetBIOS domain name. On your Samba server you should set
> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA
> server after running ipa-adtrust-install for a config example).
>
> Additionally on your Samba servers you have to set the domain SID in
> /var/lib/samba/private/secrets.tdb  with tdbtool. You will need 3
> keys with the same SID
>
> SECRETS/SID/DOMNETBIOS  <- NetBIOS domain name, workgroup in smb.conf
> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in
>                                 smb.conf
> SECRETS/SID/CLINETBIOS  <- NetBIOS name of the client, 'netbios name' in
>                             smb.conf
>
> The SID has to be given in a special binary format. The easiest way to
> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the
> IPA server after running ipa-adtrust-install. The domain SID will always
> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence
> as data for the insert command of tdbtool.
>
> Now everything should be done with respect to SID handling.
>
>>
>> 2.       There’s no “/usr/share/ipa/ui/group.js” file to patch in
>> IPAv3. What do I need to patch instead?
>>
>> I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which
>> shows the need is there but I could do with getting it working ASAP.
>
> group.js is compliend with the other UI files in
> /usr/share/ipa/ui/js/freeipa/app.js (see
> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources
> for details). For your convenience I copied some section here:
>
> "The compiled Web UI layer is located in
> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from
> source git repository in `install/ui/src/freeipa/` directory to the
> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js`
> file). By doing that, next reload of Web UI will use source files
> (clearing browser cache may be required). After that all JavaScript
> errors will contain proper source code name and line number."

Better approach is to create a custom UI plugin which would add those 
fields. Since it's only 3 fields, I create an example which works on 
FreeIPA 4.0 and theoretically it should work on 3.2 as well:

http://pvoborni.fedorapeople.org/plugins/samba/samba.js

put the file into `/usr/share/ipa/ui/js/plugins/samba` directory.

I did not test it with backend (no labels + doesn't do anything).

More about plugin development:
* http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
* http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins

Creating CLI plugin is IMO also better approach.

>
>>
>> I may be missing something obvious but some help would be greatly appreciated!
>
> I hope my comments will help you. Feel free to ask for more help if
> needed. It would be nice to hear from any success as well.
>
> bye,
> Sumit
>
>>
>> Thanks,
>>
>> Dylan.
>>
>> Background:
>>
>> Brief: Need to expand from the current single-office-ish NIS/YP scheme
>> to a multi-location/multi-national auth scheme which FreeIPA seems
>> ideally suited for.
>>
>>
>> Requirement: To continue to provide console/SSH and GUI/X logins to
>> Linux hosts, access to home and project directories via NFS from the
>> Linux machines using autofs/automount and access to Samba file-shares
>> from Windows machines but not using AD creds as this is a totally
>> separate environment. Several locations will each have a FreeIPA
>> replica server, NFS/Samba fileserver and “application” server.
>> Currently use 2 passwords for each user – one for NIS, one for Samba –
>> and need to consolidate to one password for everything.
>>
>>
>> Progress: Linux-based NFS stuff working fine – automount of home and
>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs
>> as a prototyping environment but will probably use RHEL/CentOS 7 when
>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and
>> 3.3.5 on Fedora 20.
>>
-- 
Petr Vobornik