[Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?

Israel Miranda programadorlinux at gmail.com
Wed Feb 11 23:13:28 UTC 2015 

I did follow http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
but first I was always getting NT_STATUS_UNSUCCESSFUL
First I thought it was related to a bad parameter in my samba
configuration, because
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
says it is about ipa v4 and I found this ticket
https://fedorahosted.org/freeipa/ticket/3999 I thought the
documentation was incomplete.

I debugged kerberos log file and I realized I was using just username
instead of username at REALM.COM in windows 8 machine. It showed REALM as
a groupname and I thought samba would do the translation but even on
windows share logon you have to use username at REALM.COM otherwise it
doesn´t work.
Also what about all those ldap objects I created earlier ?
Are they worth or need for a kerberized CIFS server ?
Because they are not mentioned in
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

It is working flawlessly now. Thanks a lot for the tip, now my
smb.conf is just like in the example of the howto and it is working
through sssd-libwbclient accessing the keytab.

I have detailed the steps and commands to create the ldap objects,
there is a typo many places on the internet because it was reproduced
from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html

on the creation of
dn: cn=SambaCoS,cn=groups,cn=accounts,dc=example,dc=com
objectclass: top
objectclass: cosSuperDefinition
objectclass: cosPointerDefinition
cosTemplateDn: cn=SambaCoS,cn=ipaConfig,dc=etc,dc=example,dc=com
cosAttribute: sambaGrouptType

there is a typo on the cosAttribute: a double tT on sambaGrouptType
and I wasn't being able to create the object because the template was not found.
I was found this error on the log:
Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.

I also think should be documented somewhere that ipa-adtrust-install
creates/populates the ipaNTHash, I couldn't find it anywhere, someone
told me this on freenode.

And one more doubt.
ipa config-mod --userobjectclasses=aaa,bbb,ccc
or ipa config-mod --groupobjectclasses=aaa,bbb,ccc
doesn't work on iPA 4.
Is there a way of doing this on the command line on ipa 4 ?

Thanks a lot, ipa 4 is excellent.


2015-02-11 6:32 GMT-02:00, Alexander Bokovoy <abokovoy at redhat.com>:
> On Tue, 10 Feb 2015, Israel Miranda wrote:
>>I have a freeipa installation of v4 on Fedora 21.
>>I have a separate fileserver with freeipa packages installed from
>>mkosek-freeipa-epel-7.repo on centos 7.
>>
>>I have:
>>* created sambaSAMAccount,sambaGroupMapping UserObjects
>>* created an entry for DNA	 plugin to populate them
>>cn=SambaGroupSid,cn=Distributed Numeric Assignment
>>Plugin,cn=plugins,cn=config
>>* added a CoS template for sambaGroupType
>>* added a CoS definition for sambaGroupType
>>* used ipa-adtrust-install to create and populate ipaNTHash
>>* checked with the creation of these attributes with an ldap browser all
>> ok
>>* put the fileserver machine on the domain
>>* added necessary permission, previleges and roles
>>* installed kerberos keytab on the fileserver
>>* was able to retrieve ipaNTHash attribute with the keytab from samba
>> server
>>
>>and now the only thing missing is to integrate the fileserver with the
>>ipaserver.
>>I don´t mind in using ipasam, but to install in on my centos7
>>fileserver, which only has samba installed and nothing else, it also
>>pulls the whole freeipa-server package, and this is overkill just to
>>get ipasam.so. So I'd like some help in compiling it separately.
>>I am using standard samba server distributed with centos 7.
>>
>>So I tried to use  passdb backend = ldapsam:ldap//ipaserver
>>but samba tries to bind using admin user, and doesn't use keytab, even
>>though I put
>>        dedicated keytab file = FILE:/etc/samba/samba.keytab
>>        kerberos method = dedicated keytab
>>in smb.conf.
> ldapsam currently does not yet support keytab use. With CentOS7/mkosek
> COPR repo you don't need to use any special passdb module anymore, just
> follow
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>
>
>>
>>So please help me in getting these two things done:
>>
>>1. use samba with freeipa through ldap( I know it is worse than
>>ipasam, but would be nice to know how to integrate freeipa with samba
>>with ldap on systems where ipasam might not be available )
> Don't do that, use sssd-libwbclient integration. It requires pretty
> fresh sssd version (1.12.2+) but systems you mentioned (F21 and CentOS7
> with mkosek COPR repo) have it.
>
>>2. compile an ipasam.so module so we can work on creating an rpm
>>package in the future, since it is necessary to install ipasam.so
>>separately.
> No need to that when using sssd-libwbclient integration.
>
> --
> / Alexander Bokovoy
>


-- 
Free software philosophy :

Information is for free.
People are not.
Contributors are priceless.


Filosofia de software livre:

Informação é de graça.
Pessoas não são.
Contribuidores não tem preço.

Israel Vinícius Miranda

More information about the Freeipa-users mailing list