its been a long time since i dug into all the gory bits and bobs of
samba configs, but i have some nifty functionality working via some
go-it-alone ingenuity. I have a fedora box, running samba, and it is
tied to my OpenLDAP/Kerberos/SASL domain via sssd.
in sssd, i set the id_provider to ldap and use the rfc2307bis schema.
nss, pam, sudo and autofs are all configured and the fixins for ldap_*,
krb5_*, ldap_autofs_* are set to my needs.
in samba, i set things up so that this box is the only primary/master,
etc. when it comes to security, i set it to USER, but add in all the
realm and kerberos configs. i have the ldap configs pointing to my ldap
instances and proper OUs, but i dont think those are used. note, that i
do have a kerberos keytab setup and do have to manually add each user to
the tdbsam database. the users added to the tdbsam database do not need
a password set, but do need to be enabled, ala "smbpasswd -an $user".
when i setup my shares, i specify "valid user" and the group name is
preceded with a '+', thereby leveraging pam, instead of ldap for the
group membership.
effectively, samba pushes ownership and access controls to the pam
stack, which leverages sssd under the covers. thus, my samba access
controls are governed indirectly by the domain/REALM.
some config stuffs below. note, this is my home setup so ssl/tls is not
setup, and some security may be too lax for production use.
[global]
workgroup = BPK2.COM
server string = smb.bpk2.com
interfaces = 127.0.0.1, 192.168.253.3/32
bind interfaces only = Yes
logging = syslog
load printers = No
printing = bsd
printcap name = /dev/null
log file = /var/log/samba/log.%m
max log size = 50
domain logons = Yes
preferred master = Yes
domain master = Yes
wins proxy = No
wins support = Yes
dns proxy = Yes
disable netbios = Yes
smb ports = 445
name resolve order = host
remote announce = 192.168.1.255 192.168.24.255 192.168.152.255
192.168.184.255 192.168.185.255 192.168.248.255
remote browse sync = 192.168.1.255 192.168.24.255
192.168.152.255 192.168.184.255 192.168.185.255 192.168.248.255
hosts allow = 127., 192.168.1., 192.168.24., 192.168.152.,
192.168.184., 192.168.185., 192.168.248.
# performance tuning
socket options = IPTOS_LOWDELAY TCP_NODELAY
min receivefile size = 2048
use sendfile = true
aio read size = 2048
aio write size = 2048
read raw = yes
write raw = yes
getwd cache = yes
oplocks = yes
max xmit = 32768
dead time = 15
large readwrite = yes
security = USER
realm = BPK2.COM
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
disable netbios = Yes
passdb backend = tdbsam
ldap admin dn = cn=Manager,dc=bpk2,dc=com
ldap group suffix = ou=domainGroups,ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=domainUsers,ou=Users
ldap suffix = dc=bpk2,dc=com
ldap ssl = no
idmap config * : backend = ldap
idmap config * : range = 10000 - 19999
idmap config * : ldap_url = ldap://ldap.bpk2.com/
idmap config * : ldap_base_dn = dc=bpk2,dc=com
idmap config * : ldap_user_dn = cn=Manager,dc=bpk2,dc=com
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"
nt pipe support = no
[data]
comment = Data Share
path = /export/data
valid users = +nasData
read only = No
On 6/7/22 3:08 PM, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 07 kesä 2022, Mathias Homann via FreeIPA-users wrote:
Hi all,
I have successfully deployed a FreeIPA server in docker using the
image from
https://hub.docker.com/r/freeipa/freeipa-server/, and on the linux side
everything works just fine - user logins, automount, using IPA as
authentication source for AWX and portainer, you name it.
Today I have joined my samba server to the ipa realm, and finally
turned off
nis - and that's where the *** hit the fan: samba isn't working anymore.
If I run that samba as standalone I can't connect because it seems
that samba
(on opensuse) doesn't know how to get user details from sssd, so when
I tred
to connect I got this:
[2022/06/07 17:49:25.744112, 0] ../../source3/passdb/lookup_sid.c:
1633(get_primary_group_sid)
Failed to find a Unix account for lemmy
So I made my way through https://www.freeipa.org/page/Howto/
Integrating_a_Samba_File_Server_With_IPA but that's not helping either.
Now, when I try something like "smbclient -k -L smbserver" I get some
weird
"session setup failed: NT_STATUS_INVALID_PARAMETER" message on the
commandline
- but it works just fine when I run the same command against the
actual ipa
server.
Right now I'm using the minimal smb.conf from that website.
What am I missing?
FreeIPA's wiki page with a howto is pretty much outdated. It has mention
of that but since it is contributed by community members, we have left
it in place.
We have -- at least in Fedora and RHEL -- a working Samba domain member
configuration that is generated by ipa-client-samba tool
(freeipa-client-samba package in Fedora or ipa-client-samba in RHEL). It
is based on use of SSSD and Samba with idmap_sss.
You can read more details on how it is configured at
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html
and
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html
Since this was implemented, Samba further tightened supported
configurations. Basically, if you are using Kerberos, there are only two
supported configurations:
- domain member in AD domain
- domain member in IPA domain
In both configurations we use winbindd with specific IDMAP backends:
'ad' or 'sss' for AD setup and 'sss' for IPA. Using 'ad' backend is not
going to work with IPA domain because Samba's idmap_ad expects AD LDAP
schema and global catalog.
If you cannot get 'sss' IDMAP module in openSUSE, my only recommendation
would be to migrate your Samba server to Fedora. This is one of areas
where tight integration between OS distribution components is important
to have.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
