[Freeipa-users] FreeIPA and Samba4

Joshua Doll joshua.doll at gmail.com
Tue Oct 27 14:46:42 UTC 2015 

On Tue, Oct 27, 2015 at 10:03 AM Troels Hansen <th at casalogic.dk> wrote:

> This might be related to the old thread
> https://www.redhat.com/archives/freeipa-users/2015-January/msg00285.html
> but on the other side not quite, and can't see that it have been been
> solved.
>
> I have been spending quite some time on this, but haven't been able to
> solve it yet.
>
> My problem is:
>
> I have a complete new infrastructure based om RedHat7 and CentOS7 servers.
> No Windows and defenently no AD, however we use Samba for sharing files to
> some clients.
>
> Clients is mostly Ubuntu based laptops, completely individually manages.
> No central user admin or anything.
> Users manage their own PC 100%.
>
> We have two IPA servers set up, and all Linux servers authenticate against
> IPA and all that works flawless.
>
> We migrated from a pure LDAP / Samba3 based solution to IPA / Samba4,
> using the ipa migrate script and this also worked fine.
>
> Now comes the tricky part that I haven't been able to solve.
>
> I can't seem to set Samba to play with IPA.
>
> I have been trying to use plain old ldapsam backend, but never managed to
> get it to work.
> Seems Samba can't authenticate users.
>
> Tried ipasam backend, using kerberos, following the instructions from the
> old thread:
> https://www.redhat.com/archives/freeipa-users/2015-September/msg00052.html
> Samba fails to start up, with a:
> 2015/10/27 14:13:42.127557,  0] ipa_sam.c:4478(pdb_init_ipasam)
>   pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
> domain. We cannot work reliably without it.
> [2015/10/27 14:13:42.127785,  0]
> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name)
>   pdb backend ipasam:"ldaps://kenai.casalogic.lan
> ldaps://koda.casalogic.lan" did not correctly init (error was
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>
> If I look at tje users directly in LDAP, I can see they don't have a
> ipaNTHash or ipaNTSecurityIdentifier attribute, however have preserved
> their old LDAP-ish sambaLMPassword and sambaNTPassword
>
> I might be completely off, but I need Samba to authenticate users against
> IPA, using password, and not krb as I have no control over the clients.
>
> FreeIPA is currently 4.1
>
> --
>
> Med venlig hilsen
>
> *Troels Hansen*
>
> Systemkonsulent
>
> Casalogic A/S
>
> T  (+45) 70 20 10 63
>
> M (+45) 22 43 71 57
> <http://www.casalogic.dk/signatur/th.vcf>
> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic>
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos
> og meget mere.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project




To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run
the ipa-adtrust-install --add-sids, even though I was not setting up a
trust. It would be nice if there was a way to generate these values another
way, maybe there is but I missed it.

--Joshua D Doll
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151027/84392592/attachment.htm>

More information about the Freeipa-users mailing list