On ke, 18 tammi 2023, Николай Савельев via FreeIPA-users wrote:
Hi. I have samba on centos 7, verion 4.8.3. It set up it with this instruction https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA Difference only - security = user, becose with ads I cant connect. Also I have AD integrations and linux acls on shares, all works fine. Now I want to migrate on Oracle Linux 8. There is samba versions from 4.9.1-8.el8 to 4.16.4-2.0.1.el8. I make same settings on new server. But with versions 4.15 - 4.16 I can't connect to the server from windows clients. And can connect from Linux client (Ubuntu 20.04). With versions 4.9 - 4.14 I can connect to the server from both types clients, but there is strange situation with acls. setfacl -m user:username@ad_domain:rwx -R dir/ - ad user can write,read setfacl -m group:ipa_group:rwx -R dir/ - ad user can't into directory, from ubuntu doesnt see dir I add AD group wia external group to ipa. With centos 7 all works fine. On the new server I can see ad user into ipa group and ad group. Also, I can work with this dirs via NFS - all works properly for IPA and AD users and groups. Any ideas? What did I miss?
Since RHEL 8.1 or so, the supported configuration to set up a Samba file server on IPA client is described here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm The specific part is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm#installing-and-configuring-samba-on-an-idm-client_setting-up-samba-on-an-idm-domain-member This configuration still has its limitations but the case you describe above should be working just fine if you set things the way documentation tells you. This setup was not possible on RHEL 7. You can get more technical details at FreeIPA design pages: https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html and https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
