[Freeipa-users] FreeIPA and Samba4

Troels Hansen th at casalogic.dk
Thu Oct 29 19:09:49 UTC 2015 

Same result... 

ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th ipaNTHash 
Enter LDAP Password: 
# extended LDIF 
# 
# LDAPv3 
# base <dc=casalogic,dc=lan> (default) with scope subtree 
# filter: uid=th 
# requesting: ipaNTHash 
# 

# th, users, compat, casalogic.lan 
dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan 

# th, users, accounts, casalogic.lan 
dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan 

# search result 
search: 2 
result: 0 Success 

# numResponses: 3 
# numEntries: 2 

----- On Oct 29, 2015, at 7:45 PM, Joshua Doll <joshua.doll at gmail.com> wrote: 

> What about as directory manager?

> --Joshua D Doll

> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < th at casalogic.dk > wrote:

>> I should think so:

>> On IPA server.

>> ipa role-show 'CIFS server'
>> Role name: CIFS server
>> Privileges: CIFS server privilege
>> Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN

>> ipa privilege-show 'CIFS server privilege'
>> Privilege name: CIFS server privilege
>> Permissions: CIFS test, CIFS server can read user passwords
>> Granting privilege to roles: CIFS server

>> ipa permission-show 'CIFS server can read user passwords'
>> Permission name: CIFS server can read user passwords
>> Granted rights: read, search, compare
>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>> Bind rule type: permission
>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>> Type: user
>> Granted to Privilege: CIFS server privilege
>> Indirect Member of roles: CIFS server

>> ipa-getkeytab -s kenai.casalogic.lan -p
>> cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab

>> samba.keytab copied to samba server.

>> on samba server (tinkerbell):
>> kdestroy -A
>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash

>> SASL/GSSAPI authentication started
>> SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>> # filter: uid=th
>> # requesting: ipaNTHash
>> #

>> # th, users, compat, casalogic.lan
>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

>> # th, users, accounts, casalogic.lan
>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

>> # search result
>> search: 4
>> result: 0 Success

>> # numResponses: 3
>> # numEntries: 2

>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.doll at gmail.com > wrote:

>>> Are you using the correct principal for the ldapsearch? Did you grant it
>>> permissions to view those attributes?
>>> --Joshua D Doll
>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote:

>>>> Hmm, weird.
>>>> I ran ipa-adtrust-install and it says it said it had user without SID's, and I
>>>> told it to generete SID's.
>>>> However, I still can't see them on the user.
>>>> a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.

>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash
>>>> .......
>>>> # th, users, compat, casalogic.lan
>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan

>>>> # th, users, accounts, casalogic.lan
>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan

>>>> .....

>>>> Samba however starts fine now, but unable to find any users:
>>>> pdbedit -Lv
>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>>>> casalogic.lan

>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote:

>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
>>>>> would be nice if there was a way to generate these values another way, maybe
>>>>> there is but I missed it.

>>>>> --Joshua D Doll

>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project

>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project

>> --

>> Med venlig hilsen

>> Troels Hansen

>> Systemkonsulent

>> Casalogic A/S

>> T (+45) 70 20 10 63

>> M (+45) 22 43 71 57

>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>> meget mere.

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 

Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 

T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151029/3c20a7f4/attachment.htm>

More information about the Freeipa-users mailing list