ksetup and mapping will not help with MS-PAC enforcement required now.
hmm... we successfully established trust between ipa and AD, and ipa is
able to resolve users in AD. Can you point me in the right direvction
for how to make /home/DOMAIN/username the home-folder for AD-users, as
demonstrated in the FOSDEM-video?
IPA-realm: IPA-NAS.LAB.SKYFRITT.NET
AD-realm: MAD-NAS.LAB.SKYFRITT.NET
But look at this:
root@ipa-nas:/# klist
klist: Credentials cache 'KCM:0' not found
root@ipa-nas:/# smbclient -N --use-kerberos=required -L
'\\mad-nas.mad-nas.lab.skyfritt.net\'
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
gensec_spnego_client_negTokenInit_step: Could not find a suitable
mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
root@ipa-nas:/# kinit admin
Password for [email protected]:
root@ipa-nas:/# smbclient -N --use-kerberos=required -L
'\\mad-nas.mad-nas.lab.skyfritt.net\'
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
E$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Testshare Disk
Z$ Disk Default share
SMB1 disabled -- no workgroup available
root@ipa-nas:/# klist
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting Expires Service principal
27/03/25 13:18:19 28/03/25 12:18:38
krbtgt/[email protected]
27/03/25 13:18:20 27/03/25 23:18:20
cifs/[email protected]
Ticket server:
cifs/[email protected]
root@ipa-nas:/#
With ksetup one can add mapping between kerberos-principials and domain
users, like this:
ksetup /mapuser principal@realm domain-user /domain domain-name
What this does is that it add a ldap-attribute to the user, setting :
https://learn.microsoft.com/en-us/windows/win32/ad/security-properties
Setting: altSecurityIdentities
https://learn.microsoft.com/en-us/windows/win32/ADSchema/a-altsecurityidentities
In my windows logs, I still get access denied to files owned by the
AD-user, so something is still not working, but my gut feeling says that
this is a promissing approach. But would need some more expertice to
either dismiss it or make propper adjustments in the Windows-config. I
get no PAC-related errors in my Event Viewer (only lack of
NTFS-prlvleges), but I might not be looking in the right places.
--
Best Regards,
Jostein Fossheim
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue