[Freeipa-users] FreeIPA and Samba4
Troels Hansen
th at casalogic.dk
Thu Oct 29 19:09:49 UTC 2015
Same result...
ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th ipaNTHash
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=casalogic,dc=lan> (default) with scope subtree
# filter: uid=th
# requesting: ipaNTHash
#
# th, users, compat, casalogic.lan
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
# th, users, accounts, casalogic.lan
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
----- On Oct 29, 2015, at 7:45 PM, Joshua Doll <joshua.doll at gmail.com> wrote:
> What about as directory manager?
> --Joshua D Doll
> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < th at casalogic.dk > wrote:
>> I should think so:
>> On IPA server.
>> ipa role-show 'CIFS server'
>> Role name: CIFS server
>> Privileges: CIFS server privilege
>> Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>> ipa privilege-show 'CIFS server privilege'
>> Privilege name: CIFS server privilege
>> Permissions: CIFS test, CIFS server can read user passwords
>> Granting privilege to roles: CIFS server
>> ipa permission-show 'CIFS server can read user passwords'
>> Permission name: CIFS server can read user passwords
>> Granted rights: read, search, compare
>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>> Bind rule type: permission
>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>> Type: user
>> Granted to Privilege: CIFS server privilege
>> Indirect Member of roles: CIFS server
>> ipa-getkeytab -s kenai.casalogic.lan -p
>> cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab
>> samba.keytab copied to samba server.
>> on samba server (tinkerbell):
>> kdestroy -A
>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
>> SASL/GSSAPI authentication started
>> SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>> # filter: uid=th
>> # requesting: ipaNTHash
>> #
>> # th, users, compat, casalogic.lan
>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>> # th, users, accounts, casalogic.lan
>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>> # search result
>> search: 4
>> result: 0 Success
>> # numResponses: 3
>> # numEntries: 2
>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>>> Are you using the correct principal for the ldapsearch? Did you grant it
>>> permissions to view those attributes?
>>> --Joshua D Doll
>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote:
>>>> Hmm, weird.
>>>> I ran ipa-adtrust-install and it says it said it had user without SID's, and I
>>>> told it to generete SID's.
>>>> However, I still can't see them on the user.
>>>> a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.
>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash
>>>> .......
>>>> # th, users, compat, casalogic.lan
>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>>>> # th, users, accounts, casalogic.lan
>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>>>> .....
>>>> Samba however starts fine now, but unable to find any users:
>>>> pdbedit -Lv
>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>>>> casalogic.lan
>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
>>>>> would be nice if there was a way to generate these values another way, maybe
>>>>> there is but I missed it.
>>>>> --Joshua D Doll
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> --
>> Med venlig hilsen
>> Troels Hansen
>> Systemkonsulent
>> Casalogic A/S
>> T (+45) 70 20 10 63
>> M (+45) 22 43 71 57
>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>> meget mere.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Med venlig hilsen
Troels Hansen
Systemkonsulent
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151029/3c20a7f4/attachment.htm>
More information about the Freeipa-users
mailing list