Alexander Bokovoy <abokovoy@...> writes: > > On Fri, 28 Mar 2014, Jason Woods wrote: > >Hi > >(Apologies - resending to the list - I'm so used to the Reply-To already set but it appears not to be here my bad.) > > > >> On 28 Mar 2014, at 11:32, Petr Spacek <pspacek@...> wrote: > >> > >> Please let us know if it worked for you or not. I'm curious! > > > >I'm pretty curious too. > > > >I have RHEL 6.5 with samba authenticating with IPA using ipasam.so. I > >needed to add two patches though to 3.0 to fix 'valid users' group > >resolution and also performance. They're merged into master and 3.3 > >and will be in RHEL 7. > > > >Apart from the patching it was easy to do - just needed ipa-server and > >ipa-server-adtrust installed and setup and it did all the config for me > >(the adtrust part sets up samba with ipasam.so for you). > > > >Problem is running ipasam.so without the ipa-server locally - is how to > >get it so the host can see ipaNTHash in the schema to check password. > >If ipa-server is local the host has access, otherwise it doesn't. > > > >So be good to find out what aci or service principal stuff makes that > >available in an elegant and secure way. > We have https://fedorahosted.org/freeipa/ticket/3999 for documenting it > all and may be creating a simple configuration tool. > > Timing is not yet defined. >
Is there any news on this issue? I tried the following work-around which unfortunately did not work. 1. On the IPA Server: ]# yum install ipa-server-trust-ad 2. On the IPA Server: Run "ipa-adtrust-install" ]# ipa-adtrust-install 3. On ipa-server: Copy "ipasam.so" to samba server: ]# scp /usr/lib64/samba/pdb/ipasam.so file--s0-v1.becke.ch:/usr/lib64/samba/pdb/ 4. On ipa-server:Create the following CIFS service: ]# ipa service-add cifs/[email protected] 5. On ipa-server: Create keytab for samba server and copy over to samba server ]# ipa-getkeytab -s directory--s0-v1.becke.ch -p cifs/[email protected] -k /tmp/samba.keytab ]# scp /tmp/samba.keytab [email protected]:/etc/samba/samba.keytab 6. On samba server: vi /etc/samba/smb.conf ... [global] workgroup = BECKECH server string = Samba Server Version %v netbios name = FILES0V1 log file = /var/log/samba/%m.log max log size = 50 realm = BECKE.CH kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user # passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-BECKE-CH.socket passdb backend = ipasam:ldaps://directory--s0-v1.becke.ch ldapsam:trusted=yes ldap ssl = off ldap suffix = dc=becke,dc=ch ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ... But all this did not help and I always get: ]# smbclient -L file--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 ... NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE ... Doing the same against the IPA Server everything works fine: # smbclient -L directory--s0-v1.becke.ch -U test--s0-v1%eo885418 -d 10 ... Maybe there is something wrong in: "cli_init_creds" ... but now after hours of research, debugging and testing I will give up and switch to "tdbsam" which is not optimal but should at least work ... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
