[Freeipa-users] FreeIPA and Samba4
Alexander Bokovoy
abokovoy at redhat.com
Fri Oct 30 10:02:39 UTC 2015
On Fri, 30 Oct 2015, Troels Hansen wrote:
>Well, I think the problem here being that I miss the attributes. One
>"funny" thing being that apprently, some users have had ipantuserattrs
>objectclass and a ipaNTSecurityIdentifier SID added. Some don't
>(including mine). Tried adding a new user, just to test, and this gets
>created with a ipaNTSecurityIdentifier, however, my old users still
>don't. I guess I jute need a way to have IPA add ipantuserattrs and
>ipaNTSecurityIdentifier to my existing users.
Not sure what you expect.
Modifying attributes for existing users takes time so we don't do it
automatically. When you run ipa-adtrust-install, it does ask you to run
a task that does the work of generating SIDs and adding needed
attributes/object classes.
However, ipaNTHash will not be there until either of two events happens:
- user changes password;
- user authenticates with Kerberos against Samba running on IPA master.
>
>when running ipa-adtrust-install it finds 85 users without SID, and I
>install the SID plugin (which is just 2 LDIF's), but this still doesn't
>do anything.
*you* install the SID plugin or ipa-adtrust-install adds two plugins and
then runs a task to generate SIDs?
>
>----- On Oct 29, 2015, at 8:16 PM, Joshua Doll <joshua.doll at gmail.com> wrote:
>
>> Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
>> --add-sids. I did notice when I was setting this up recently that I had to run
>> the adtrust-install command whenever I added new users or groups. I don't know
>> if it was just me being impatient or a limitation. Another thing I noticed that
>> is different between our two setups is I couldn't get this setup to work on a
>> separate host, I am running samba on the same host as my ipa service.
>
>> --Joshua D Doll
>
>> On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < th at casalogic.dk > wrote:
>
>>> Same result...
>
>>> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
>>> ipaNTHash
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>>> # filter: uid=th
>>> # requesting: ipaNTHash
>>> #
>
>>> # th, users, compat, casalogic.lan
>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>
>>> # th, users, accounts, casalogic.lan
>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>
>>> # search result
>>> search: 2
>
>>> result: 0 Success
>
>>> # numResponses: 3
>>> # numEntries: 2
>
>>> ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>
>>>> What about as directory manager?
>
>>>> --Joshua D Doll
>
>>>> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < th at casalogic.dk > wrote:
>
>>>>> I should think so:
>
>>>>> On IPA server.
>
>>>>> ipa role-show 'CIFS server'
>>>>> Role name: CIFS server
>>>>> Privileges: CIFS server privilege
>>>>> Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>
>>>>> ipa privilege-show 'CIFS server privilege'
>>>>> Privilege name: CIFS server privilege
>>>>> Permissions: CIFS test, CIFS server can read user passwords
>>>>> Granting privilege to roles: CIFS server
>
>>>>> ipa permission-show 'CIFS server can read user passwords'
>>>>> Permission name: CIFS server can read user passwords
>>>>> Granted rights: read, search, compare
>>>>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
>>>>> Bind rule type: permission
>>>>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
>>>>> Type: user
>>>>> Granted to Privilege: CIFS server privilege
>>>>> Indirect Member of roles: CIFS server
>
>>>>> ipa-getkeytab -s kenai.casalogic.lan -p
>>>>> cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab
>
>>>>> samba.keytab copied to samba server.
>
>>>>> on samba server (tinkerbell):
>>>>> kdestroy -A
>>>>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
>>>>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
>
>>>>> SASL/GSSAPI authentication started
>>>>> SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
>>>>> SASL SSF: 56
>>>>> SASL data security layer installed.
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <dc=casalogic,dc=lan> (default) with scope subtree
>>>>> # filter: uid=th
>>>>> # requesting: ipaNTHash
>>>>> #
>
>>>>> # th, users, compat, casalogic.lan
>>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>
>>>>> # th, users, accounts, casalogic.lan
>>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>
>>>>> # search result
>>>>> search: 4
>>>>> result: 0 Success
>
>>>>> # numResponses: 3
>>>>> # numEntries: 2
>
>>>>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>
>>>>>> Are you using the correct principal for the ldapsearch? Did you grant it
>>>>>> permissions to view those attributes?
>>>>>> --Joshua D Doll
>>>>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote:
>
>>>>>>> Hmm, weird.
>>>>>>> I ran ipa-adtrust-install and it says it said it had user without SID's, and I
>>>>>>> told it to generete SID's.
>>>>>>> However, I still can't see them on the user.
>>>>>>> a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.
>
>>>>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash
>>>>>>> .......
>>>>>>> # th, users, compat, casalogic.lan
>>>>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
>
>>>>>>> # th, users, accounts, casalogic.lan
>>>>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
>
>>>>>>> .....
>
>>>>>>> Samba however starts fine now, but unable to find any users:
>>>>>>> pdbedit -Lv
>>>>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
>>>>>>> casalogic.lan
>
>>>>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
>
>>>>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
>>>>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
>>>>>>>> would be nice if there was a way to generate these values another way, maybe
>>>>>>>> there is but I missed it.
>
>>>>>>>> --Joshua D Doll
>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>> Go to http://freeipa.org for more info on the project
>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>
>>>>> --
>
>>>>> Med venlig hilsen
>
>>>>> Troels Hansen
>
>>>>> Systemkonsulent
>
>>>>> Casalogic A/S
>
>>>>> T (+45) 70 20 10 63
>
>>>>> M (+45) 22 43 71 57
>
>>>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>>>>> meget mere.
>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>
>>> --
>
>>> Med venlig hilsen
>
>>> Troels Hansen
>
>>> Systemkonsulent
>
>>> Casalogic A/S
>
>>> T (+45) 70 20 10 63
>
>>> M (+45) 22 43 71 57
>
>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
>>> meget mere.
>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>--
>
>Med venlig hilsen
>
>Troels Hansen
>
>Systemkonsulent
>
>Casalogic A/S
>
>T (+45) 70 20 10 63
>
>M (+45) 22 43 71 57
>
>Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list