On Wed, 11 Feb 2015, Israel Miranda wrote:
I did follow http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA but first I was always getting NT_STATUS_UNSUCCESSFUL First I thought it was related to a bad parameter in my samba configuration, because http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA says it is about ipa v4 and I found this ticket https://fedorahosted.org/freeipa/ticket/3999 I thought the documentation was incomplete.
Documentation regarding Samba integration is incomplete. We are working on improving it but nothing is ready for review yet.
I debugged kerberos log file and I realized I was using just username instead of [email protected] in windows 8 machine. It showed REALM as a groupname and I thought samba would do the translation but even on windows share logon you have to use [email protected] otherwise it doesn´t work.
Yes. When you are using cross-forest trust to AD this will happen automatically. If you are not using cross-forest trust to AD, this use case is not yet officially supported so I glad that it works for you.
Also what about all those ldap objects I created earlier ? Are they worth or need for a kerberized CIFS server ? Because they are not mentioned in http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
You don't need to create any additional LDAP objects. What you need is basically following: 1. Run ipa-adtrust-install on all masters that will be serving AD users. Right now this means effectively all masters but we are working on separating the heavy parts (runnning smbd/winbindd on each master) soon. 2. Use http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA to configure your Fedora 21+ or RHEL7.1beta or later servers to host Samba.
It is working flawlessly now. Thanks a lot for the tip, now my smb.conf is just like in the example of the howto and it is working through sssd-libwbclient accessing the keytab. I have detailed the steps and commands to create the ldap objects, there is a typo many places on the internet because it was reproduced from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
Notice that it is against Fedora 17 which is way old now and obsolete.
I also think should be documented somewhere that ipa-adtrust-install creates/populates the ipaNTHash, I couldn't find it anywhere, someone told me this on freenode.
Given that you don't need to know about ipaNTHash to use http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA, all you need is documented there. I've added a note that IPA masters have to be configured with ipa-adtrust-install.
And one more doubt. ipa config-mod --userobjectclasses=aaa,bbb,ccc or ipa config-mod --groupobjectclasses=aaa,bbb,ccc doesn't work on iPA 4. Is there a way of doing this on the command line on ipa 4 ?
Use shell expansion.
ipa object-command --attribute={value1,value2,value3,...}
--
/ Alexander Bokovoy
pgpHYjaIFhrlr.pgp
Description: PGP signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
