[Freeipa-users] FreeIPA and Samba4

Sumit Bose sbose at redhat.com
Fri Oct 30 10:29:39 UTC 2015 

On Fri, Oct 30, 2015 at 10:53:47AM +0100, Troels Hansen wrote:
> Well, I think the problem here being that I miss the attributes. 
> One "funny" thing being that apprently, some users have had ipantuserattrs objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including mine). 
> Tried adding a new user, just to test, and this gets created with a ipaNTSecurityIdentifier, however, my old users still don't. 
> I guess I jute need a way to have IPA add ipantuserattrs and ipaNTSecurityIdentifier to my existing users. 
> 
> when running ipa-adtrust-install it finds 85 users without SID, and I install the SID plugin (which is just 2 LDIF's), but this still doesn't do anything. 

Did you run ipa-adtrust-install with the '--add-sids' option?

About ipaNTHash, this is not created by ipa-adtrust-install or any other
tool. For the integrated smbd the NT hash is derived from a suitable
Kerberos key by adding a magic keyword to the ipaNTHash attribute.

You can try to do this manually with the following steps:

 - The principal used by the internal smdb has the right permissions to
   add the attribute:
  
   kinit -k -t /etc/samba/samba.keytab cifs/ipa.server at IPA.DOMAIN

 - write the magic keyword MagicRegen into the ipaNTHash attribute of
   the user

   ldapmodify -Y GSSAPI -H ldap://ipa-devel.ipa.devel << END
   dn: uid=ipa_user,cn=users,cn=accounts,dc=ipa,dc=domain
   changetype: modify
   add: ipaNTHash
   ipaNTHash: MagicRegen
   END

If a suitable Kerberos key was available the user object now has the
ipaNTHash attribute set with the right NT hash value.

HTH

bye,
Sumit

> 
> ----- On Oct 29, 2015, at 8:16 PM, Joshua Doll <joshua.doll at gmail.com> wrote: 
> 
> > Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install
> > --add-sids. I did notice when I was setting this up recently that I had to run
> > the adtrust-install command whenever I added new users or groups. I don't know
> > if it was just me being impatient or a limitation. Another thing I noticed that
> > is different between our two setups is I couldn't get this setup to work on a
> > separate host, I am running samba on the same host as my ipa service.
> 
> > --Joshua D Doll
> 
> > On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < th at casalogic.dk > wrote:
> 
> >> Same result...
> 
> >> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th
> >> ipaNTHash
> >> Enter LDAP Password:
> >> # extended LDIF
> >> #
> >> # LDAPv3
> >> # base <dc=casalogic,dc=lan> (default) with scope subtree
> >> # filter: uid=th
> >> # requesting: ipaNTHash
> >> #
> 
> >> # th, users, compat, casalogic.lan
> >> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
> 
> >> # th, users, accounts, casalogic.lan
> >> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
> 
> >> # search result
> >> search: 2
> 
> >> result: 0 Success
> 
> >> # numResponses: 3
> >> # numEntries: 2
> 
> >> ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
> 
> >>> What about as directory manager?
> 
> >>> --Joshua D Doll
> 
> >>> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < th at casalogic.dk > wrote:
> 
> >>>> I should think so:
> 
> >>>> On IPA server.
> 
> >>>> ipa role-show 'CIFS server'
> >>>> Role name: CIFS server
> >>>> Privileges: CIFS server privilege
> >>>> Member services: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
> 
> >>>> ipa privilege-show 'CIFS server privilege'
> >>>> Privilege name: CIFS server privilege
> >>>> Permissions: CIFS test, CIFS server can read user passwords
> >>>> Granting privilege to roles: CIFS server
> 
> >>>> ipa permission-show 'CIFS server can read user passwords'
> >>>> Permission name: CIFS server can read user passwords
> >>>> Granted rights: read, search, compare
> >>>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier
> >>>> Bind rule type: permission
> >>>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan
> >>>> Type: user
> >>>> Granted to Privilege: CIFS server privilege
> >>>> Indirect Member of roles: CIFS server
> 
> >>>> ipa-getkeytab -s kenai.casalogic.lan -p
> >>>> cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN -k /tmp/samba.keytab
> 
> >>>> samba.keytab copied to samba server.
> 
> >>>> on samba server (tinkerbell):
> >>>> kdestroy -A
> >>>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan
> >>>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash
> 
> >>>> SASL/GSSAPI authentication started
> >>>> SASL username: cifs/tinkerbell.casalogic.lan at CASALOGIC.LAN
> >>>> SASL SSF: 56
> >>>> SASL data security layer installed.
> >>>> # extended LDIF
> >>>> #
> >>>> # LDAPv3
> >>>> # base <dc=casalogic,dc=lan> (default) with scope subtree
> >>>> # filter: uid=th
> >>>> # requesting: ipaNTHash
> >>>> #
> 
> >>>> # th, users, compat, casalogic.lan
> >>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
> 
> >>>> # th, users, accounts, casalogic.lan
> >>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
> 
> >>>> # search result
> >>>> search: 4
> >>>> result: 0 Success
> 
> >>>> # numResponses: 3
> >>>> # numEntries: 2
> 
> >>>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
> 
> >>>>> Are you using the correct principal for the ldapsearch? Did you grant it
> >>>>> permissions to view those attributes?
> >>>>> --Joshua D Doll
> >>>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < th at casalogic.dk > wrote:
> 
> >>>>>> Hmm, weird.
> >>>>>> I ran ipa-adtrust-install and it says it said it had user without SID's, and I
> >>>>>> told it to generete SID's.
> >>>>>> However, I still can't see them on the user.
> >>>>>> a IPA-db doesn't reveal them being generated and I can't look them up via LDAP.
> 
> >>>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash
> >>>>>> .......
> >>>>>> # th, users, compat, casalogic.lan
> >>>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan
> 
> >>>>>> # th, users, accounts, casalogic.lan
> >>>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan
> 
> >>>>>> .....
> 
> >>>>>> Samba however starts fine now, but unable to find any users:
> >>>>>> pdbedit -Lv
> >>>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
> >>>>>> casalogic.lan
> 
> >>>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < joshua.doll at gmail.com > wrote:
> 
> >>>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the
> >>>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a trust. It
> >>>>>>> would be nice if there was a way to generate these values another way, maybe
> >>>>>>> there is but I missed it.
> 
> >>>>>>> --Joshua D Doll
> 
> >>>>>>> --
> >>>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>> Go to http://freeipa.org for more info on the project
> 
> >>>>>> --
> >>>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>> Go to http://freeipa.org for more info on the project
> >>>>> --
> >>>>> Manage your subscription for the Freeipa-users mailing list:
> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>> Go to http://freeipa.org for more info on the project
> 
> >>>> --
> 
> >>>> Med venlig hilsen
> 
> >>>> Troels Hansen
> 
> >>>> Systemkonsulent
> 
> >>>> Casalogic A/S
> 
> >>>> T (+45) 70 20 10 63
> 
> >>>> M (+45) 22 43 71 57
> 
> >>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
> >>>> meget mere.
> 
> >>> --
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go to http://freeipa.org for more info on the project
> 
> >> --
> 
> >> Med venlig hilsen
> 
> >> Troels Hansen
> 
> >> Systemkonsulent
> 
> >> Casalogic A/S
> 
> >> T (+45) 70 20 10 63
> 
> >> M (+45) 22 43 71 57
> 
> >> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og
> >> meget mere.
> 
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> 
> Med venlig hilsen 
> 
> Troels Hansen 
> 
> Systemkonsulent 
> 
> Casalogic A/S 
> 
> T (+45) 70 20 10 63 
> 
> M (+45) 22 43 71 57 
> 
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list