Hi, Yes, log is anonymised.
It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb <[email protected]>: > Hi Matt > > I assume [username] is a real username, identical to that in the FreeIPA > cn=accounts, cn=users tree? (i.e. you anonymised the log extract). > > You user should be a member of the appropriate samba groups that you setup > in FreeIPA. > > You should check that the user attribute SambaPwdLastSet is set to a > positive value (e.g. 1). If not you get an error in the Samba logs - I > would need to play around again with a test user to find out the exact > error. > > I don't understand what you mean about syncing the users local, but we did > not need to do anything like that. > > Chris > > > > > From: "Matt ." <[email protected]> > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: "[email protected]" <[email protected]> > Date: 04.08.2015 15:33 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > A puppet run added another passdb backend, that was causing my issue. > > What I still experience is: > > > [2015/08/04 15:29:45.477783, 3] > ../source3/auth/check_samsec.c:399(check_sam_security) > check_sam_security: Couldn't find user 'username' in passdb. > [2015/08/04 15:29:45.478026, 2] > ../source3/auth/auth.c:288(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [username] -> > [username] FAILED with error NT_STATUS_NO_SUCH_USER > > > I also wonder if I shall still sync the users local, or is it needed ? > > Thanks again, > > Matt > > 2015-08-04 14:16 GMT+02:00 Christopher Lamb <[email protected]>: >> Hi Matt >> >> From our smb.conf file: >> >> [global] >> security = user >> passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >> ldap admin dn = cn=Directory Manager >> >> So yes, we use Directory Manager, it works for us. I have not tried with > a >> less powerful user, but it is conceivable that a lesser user may not see >> all the required attributes, resulting in "no such user" errors. >> >> Chris >> >> >> >> >> From: "Matt ." <[email protected]> >> To: Christopher Lamb/Switzerland/IBM@IBMCH >> Cc: "[email protected]" <[email protected]> >> Date: 04.08.2015 13:32 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> >> Matt >> >> 2015-08-04 13:15 GMT+02:00 Matt . <[email protected]>: >>> Hi Chris, >>> >>> Thanks for the heads up, indeed local is 4 I see now when I add a >>> group from the GUI, great thanks! >>> >>> But do you use Directory Manager as ldap admin user or some other >>> admin account ? >>> >>> I'm not sure id DM is needed and it should get that deep into IPA. >>> Also when starting samba it cannot find "such user" as that sounds >>> quite known as it has no UID. >>> >>> From your config I see you use DM, this should work ? >>> >>> Thanks! >>> >>> Matt >>> >>> 2015-08-03 17:17 GMT+02:00 Christopher Lamb >> <[email protected]>: >>>> Hi Matt >>>> >>>> It sounds like you now have prepared FreeIPA for Samba >>>> >>>> I assume you have already configured Samba to authenticate via FreeIPA >>>> (changes to the [global] section of your smb.conf file, secrets.tdb > etc. >>>> >>>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >>>> with SambaGroupType = 4) >>>> >>>> For example: >>>> >>>> In FreeIPA under cn=accounts, cn=users we have a group called >> "smb-junit". >>>> >>>> This group has (among others) the attribute SambaGroupType = 4 >>>> >>>> We can then use the name of the group in the smb.conf file >>>> >>>> [junit] >>>> comment = JUnit Share >>>> path = /samba/junit >>>> browseable = no >>>> valid users = @smb-junit >>>> write list = @smb-junit >>>> force group = smb-junit >>>> create mask = 0770 >>>> >>>> >>>> Ciao >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." <[email protected]> >>>> To: Christopher Lamb/Switzerland/IBM@IBMCH >>>> Cc: "[email protected]" <[email protected]>, Petr >>>> Vobornik <[email protected]> >>>> Date: 03.08.2015 16:03 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> >>>> >>>> >>>> Hi, >>>> >>>> OK, I have a Samba Group Type now in my groups details list and also >>>> in the groups settings tab. >>>> >>>> I'm not 100% how this is managed. I have Grouptype 4, in the groups >>>> overview it's still empty. But how to manage this between samba and >>>> ipa ? What should be the reference between the group(names) ? >>>> >>>> Thanks again! >>>> >>>> Matt >>>> >>>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb >> <[email protected]>: >>>>> HI Matt >>>>> >>>>> It looks like I skipped that step ... (And as we already had samba >> groups >>>>> in place, did not need to make new ones via the WebUI). >>>>> >>>>> However a quick google trawled up this old thread that has a possible >>>>> answer from Peter. (I have not tested it yet myself). >>>>> >>>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: "Matt ." <[email protected]> >>>>> To: >>>>> Cc: "[email protected]" <[email protected]> >>>>> Date: 03.08.2015 12:45 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> Sent by: [email protected] >>>>> >>>>> >>>>> >>>>> In my previous reply, I ment "no group.js at all" . >>>>> >>>>> >>>>> 2015-08-03 12:17 GMT+02:00 Matt . <[email protected]>: >>>>>> Hi Chris, >>>>>> >>>>>> Thanks for that verification! >>>>>> >>>>>> It seems that: >>>>>> >>>>>> /usr/share/ipa/ui/group.js >>>>>> >>>>>> Is not there on IPA.4.1, also there is no .js at all on the whole >>>> system. >>>>>> >>>>>> Any idea there ? >>>>>> >>>>>> Thanks again! >>>>>> >>>>>> Matt >>>>>> >>>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb >>>> <[email protected]>: >>>>>>> Hi Matt >>>>>>> >>>>>>> Thankfully I saved the output from those ldapmodify commands > (against >>>>>>> FreeIPA 4.1) and was able to find it again! >>>>>>> >>>>>>> In our case sambagrouptype also seems to have already been present, >> so >>>>> that >>>>>>> should not hurt. >>>>>>> >>>>>>> [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF >>>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>>> changetype: add >>>>>>>> add: ipaCustomFields >>>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>>> EOF >>>>>>> SASL/GSSAPI authentication started >>>>>>> SASL username: [email protected] >>>>>>> SASL SSF: 56 >>>>>>> SASL data security layer installed. >>>>>>> adding new entry >> "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>>>>>> ldap_add: Already exists (68) >>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> From: "Matt ." <[email protected]> >>>>>>> To: >>>>>>> Cc: "[email protected]" <[email protected]> >>>>>>> Date: 02.08.2015 13:33 >>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>>> IPA >>>>>>> Sent by: [email protected] >>>>>>> >>>>>>> >>>>>>> >>>>>>> Chris, >>>>>>> >>>>>>> Are you doing this on 3.x or also 4.x ? >>>>>>> >>>>>>> As the following already exists: >>>>>>> >>>>>>> ldapmodify -Y GSSAPI <<EOF >>>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> changetype: add >>>>>>> add: ipaCustomFields >>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> EOF >>>>>>> >>>>>>> >>>>>>> And I'm unsure about the pyton files are they are sligtly different >> on >>>>> 4.1 >>>>>>> >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> >>>>>>> 2015-08-01 19:51 GMT+02:00 Matt . <[email protected]>: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Yes I found that earlier, that looks good and even better when you >>>>>>>> confirm this as really usable. >>>>>>>> >>>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>>>>>> happends when we "need" to move because integration has been >> improved. >>>>>>>> >>>>>>>> I try to keep IPA as native as I can. >>>>>>>> >>>>>>>> So this is the best way to go for now, even when this thread is > such >>>>>>> "old" ? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> >>>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb >>>>> <[email protected]>: >>>>>>>>> Hi Matt >>>>>>>>> >>>>>>>>> For a "how to" of Samba FreeIPA integration using schema >> extensions, >>>>> see >>>>>>>>> this previous thread >>>>>>>>> >>>>>>>>> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>>>>>> >>>>>>>>> That should point to this techslaves article with the detailed >>>>>>> instructions >>>>>>>>> that we followed: >>>>>>>>> >>>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>>>>>> >>>>>>>>> The main reason we went that way is that we have no AD domain, >> which >>>>>>> seems >>>>>>>>> to be required by other integration paths. >>>>>>>>> >>>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, >> now >>>>>>> 7.x). >>>>>>>>> So things may be different on Ubuntu. >>>>>>>>> >>>>>>>>> As always, when changing the LDAP schema, an LDAP browser like >> Apache >>>>>>>>> Directory Studio is very useful to visualise what is going on and >> to >>>>>>> verify >>>>>>>>> if your changes are present! (and is sometime easier to manually >>>>> change >>>>>>>>> attributes rather than by LDAPMODIFY script....) >>>>>>>>> >>>>>>>>> There is another ongoing thread in this mailing list about > problems >>>>> with >>>>>>>>> the attribute SambaPwdLastSet. >>>>>>>>> >>>>>>>>> Chris >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> From: "Matt ." <[email protected]> >>>>>>>>> To: >>>>>>>>> Cc: "[email protected]" <[email protected]> >>>>>>>>> Date: 31.07.2015 16:58 >>>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> against >>>>> IPA >>>>>>>>> Sent by: [email protected] >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> This is nice to have confirmed. >>>>>>>>> >>>>>>>>> Is it possible for you to descrive what you do ? It might be handy >> to >>>>>>>>> add this to the IPA documentation also with some explanation > why... >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>>>>>> <[email protected]>: >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect >> to >>>>> the >>>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>>>>>> problem >>>>>>>>>> that we have is, that the users get no notice of password expiry >>>>> until >>>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is >>>> not >>>>>>>>>> accepted when trying to connect to a share. Once the password is >>>>> reset >>>>>>>>> (via >>>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>>>>>> >>>>>>>>>> Chris >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> From: Youenn PIOLET <[email protected]> >>>>>>>>>> To: "Matt ." <[email protected]> >>>>>>>>>> Cc: "[email protected]" <[email protected]> >>>>>>>>>> Date: 31.07.2015 16:21 >>>>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> against >>>>>>> IPA >>>>>>>>>> Sent by: [email protected] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> I asked the very same question a few weeks ago, but no answer > yet. >>>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>>>>>> >>>>>>>>>> The only method I see is to install samba extensions in FreeIPA's >>>>> LDAP >>>>>>>>>> directory, and bind samba with LDAP. There may be a lot of >>>>> difficulties >>>>>>>>>> with password management doing this, that's why I'd like to get a >>>>>>> better >>>>>>>>>> solution :) >>>>>>>>>> >>>>>>>>>> Anyone? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Youenn Piolet >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <[email protected]>: >>>>>>>>>> Hi Guys, >>>>>>>>>> >>>>>>>>>> I'm really struggeling getting a NON AD Samba server authing >>>>> against >>>>>>> a >>>>>>>>>> FreeIPA server: >>>>>>>>>> >>>>>>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>>>>>> >>>>>>>>>> Now this seems to be the way: >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>>> >> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> But as this, which I also found on the mailinglists: >>>>>>>>>> >>>>>>>>>> NOTE: Only Kerberos authentication will work when accessing >> Samba >>>>>>>>>> shares using this method. This means that Windows clients not >>>>> joined >>>>>>>>>> to Active Directory forest trusted by IPA would not be able to >>>>> access >>>>>>>>>> the shares. This is related to SSSD not yet being able to > handle >>>>>>>>>> NTLMSSP authentication. >>>>>>>>>> >>>>>>>>>> It might not be that easy to have a Samba Shares only server. >>>>>>>>>> >>>>>>>>>> Any idea here how to accomplish ? >>>>>>>>>> >>>>>>>>>> Cheers, >>>>>>>>>> >>>>>>>>>> Matt >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >> >> >> >> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
