HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server.
I'm using the ipa-adtrust way of Youeen but it seems we still need to add (objectclass=sambaSamAccount)) ? Info is welcome! I will report back when I have it working. Thanks! Matt 2015-08-10 11:16 GMT+02:00 Christopher Lamb <[email protected]>: > The next route I will try - is the one Youeen took, using ipa-adtrust > > > > From: "Matt ." <[email protected]> > To: Christopher Lamb/Switzerland/IBM@IBMCH, > "[email protected]" <[email protected]> > Date: 10.08.2015 10:03 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > Okay this is good to hear. > > But don't we want a IPA managed Scheme ? > > When I did a "ipa-adtrust-install --add-sids" it also wanted a local > installed Samba and I wonder why. > > Good that we make some progres on making it all clear. > > Cheers, > > Matt > > 2015-08-10 6:12 GMT+02:00 Christopher Lamb <[email protected]>: >> ldapsam + the samba extensions, pretty much as described in the > Techslaves >> article. Once I have a draft for the wiki page, I will mail you. >> >> >> >> From: "Matt ." <[email protected]> >> To: Christopher Lamb/Switzerland/IBM@IBMCH, >> "[email protected]" <[email protected]> >> Date: 09.08.2015 21:17 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> >> >> >> Hi, >> >> Yes I know about "anything" but which way did you use now ? >> >> >> >> 2015-08-09 20:56 GMT+02:00 Christopher Lamb > <[email protected]>: >>> Hi Matt >>> >>> I am on OEL 7.1. - so anything that works on that should be good for > RHEL >>> and Centos 7.x >>> >>> I intend to add a how-to to the FreeIPA Wiki over the next few days. As >> we >>> have suggested earlier, we will likely end up with several, one for each >> of >>> the possible integration paths. >>> >>> Chris >>> >>> >>> >>> >>> >>> From: "Matt ." <[email protected]> >>> To: Christopher Lamb/Switzerland/IBM@IBMCH, >>> "[email protected]" <[email protected]> >>> Date: 09.08.2015 16:45 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi Chris, >>> >>> This sounds great! >>> >>> What are you using now, both CentOS ? So Samba and FreeIPA ? >>> >>> Maybe it's good to explain which way you used now in steps too, so we >>> can combine or create multiple howto's ? >>> >>> At least we are going somewhere! >>> >>> Thanks, >>> >>> Matt >>> >>> 2015-08-09 14:54 GMT+02:00 Christopher Lamb >> <[email protected]>: >>>> Hi Matt >>>> >>>> My test integration of FreeIPA 4.x and Samba 4.x with the "good old >> Samba >>>> Schema extensions) is up and working, almost flawlessly. >>>> >>>> I can add users and groups via the FreeIPA CLI, and they get the > correct >>>> ObjectClasses / attributes required for Samba. >>>> >>>> So far I have not yet bothered to try the extensions to the WebUI, >>> because >>>> it is currently giving me the classic "Your session has expired. Please >>>> re-login." error which renders the WebUI useless. >>>> >>>> The only problem I have so far encountered managing Samba / FreeIPA >> users >>>> via FreeIPA CLI commands is with the handling of the attribute >>>> sambaPwdLastSet. This is the subject of an existing thread, also > updated >>>> today. >>>> >>>> There is also an existing alternative to hacking group.py, using "Class >>> of >>>> Service" (Cos) documented in this thread from February 2015 >>>> >> https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html >>> . >>>> I have not yet tried it, but it sounds reasonable. >>>> >>>> Chris >>>> >>>> >>>> >>>> >>>> >>>> From: "Matt ." <[email protected]> >>>> To: Christopher Lamb/Switzerland/IBM@IBMCH >>>> Cc: "[email protected]" <[email protected]>, Youenn >>>> PIOLET <[email protected]> >>>> Date: 06.08.2015 16:19 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> >>>> >>>> >>>> Hi Chris, >>>> >>>> OK, than we might create two different versions of the wiki, I think >>>> this is nice. >>>> >>>> I'm still figuring out why I get that: >>>> >>>> IPA Error 4205: ObjectclassViolation >>>> >>>> missing attribute "sambaGroupType" required by object class >>>> "sambaGroupMapping" >>>> >>>> Matt >>>> >>>> 2015-08-06 16:09 GMT+02:00 Christopher Lamb >>> <[email protected]>: >>>>> Hi Matt >>>>> >>>>> As far as I can make out, there are at least 2 viable Samba / FreeIPA >>>>> integration paths. >>>>> >>>>> The route I took is suited where there is no Active Directory > involved: >>>> In >>>>> my case all the Windows, OSX and Linux clients are islands that sit on >>>> the >>>>> same network. >>>>> >>>>> The route that Youenn has taken (unless I have got completely the > wrong >>>> end >>>>> of the stick) requires Active Directory in the architecture. >>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>>> From: "Matt ." <[email protected]> >>>>> To: Youenn PIOLET <[email protected]> >>>>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>>>> "[email protected]" <[email protected]> >>>>> Date: 06.08.2015 14:42 >>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >> IPA >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> OK, this sounds already quite logical, but I'm still refering to the >>>>> old howto we found earlier, does that one still apply somewhere or not >>>>> at all ? >>>>> >>>>> Thanks, >>>>> >>>>> Matt >>>>> >>>>> >>>>> >>>>> 2015-08-06 12:23 GMT+02:00 Youenn PIOLET <[email protected]>: >>>>>> Hey guys, >>>>>> >>>>>> I'll try to make a tutorial soon, sorry I'm quite in a rush these >>>> days :) >>>>>> >>>>>> General idea: >>>>>> >>>>>> On FreeIPA (4.1) >>>>>> - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier >>>>>> attribude, also known as SID) >>>>>> - regenerate each user password to build ipaNTHash attribute, not > here >>>> by >>>>>> default on users >>>>>> - use your ldap browser to check ipaNTHash values are here on user >>>>> objects >>>>>> - create a CIFS service for your samba server >>>>>> - Create user roles/permissions as described here: >>>>>> >>>>> >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>> >>>>>> so that CIFS service will be able to read ipaNTsecurityidentifier and >>>>>> ipaNTHash attributes in LDAP (ACI) >>>>>> - SCP ipasam.so module to your cifs server (this is the magic > trick) : >>>>> scp >>>>>> /usr/lib64/samba/pdb/ipasam.so >>>>>> [email protected]:/usr/lib64/samba/pdb/ You can also try to >>>>> recompile >>>>>> it. >>>>>> >>>>>> On SAMBA Server side (CentOS 7...) >>>>>> - Install server keytab file for CIFS >>>>>> - check ipasam.so is here. >>>>>> - check you can read password hash in LDAP with `ldapsearch -Y GSSAPI >>>>>> uid=admin ipaNTHash` thanks to kerberos >>>>>> - make your smb.conf following the linked thread and restart service >>>>>> >>>>>> I don't know if it works in Ubuntu. I know sssd has evolved quickly >> and >>>>>> ipasam may use quite recent functionalities, the best is to just try. >>>> You >>>>>> can read in previous thread : "If you insist on Ubuntu you need to > get >>>>>> ipasam somewhere, most likely to compile it yourself". >>>>>> >>>>>> Make sure your user has ipaNTHash attribute :) >>>>>> >>>>>> You may want to debug authentication on samba server, I usually do >>> this: >>>>>> `tail -f /var/log/samba/log* | grep <username> >>>>>> >>>>>> Cheers >>>>>> -- >>>>>> Youenn Piolet >>>>>> [email protected] >>>>>> >>>>>> >>>>>> 2015-08-05 17:40 GMT+02:00 Matt . <[email protected]>: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> This sounds great to me too, but a howto would help to make it more >>>>>>> clear about what you have done here. The thread confuses me a little >>>>>>> bit. >>>>>>> >>>>>>> Can you paste your commands so we can test out too and report back ? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> 2015-08-05 15:18 GMT+02:00 Christopher Lamb >>>>> <[email protected]>: >>>>>>> > Hi Youenn >>>>>>> > >>>>>>> > Good news that you have got an integration working >>>>>>> > >>>>>>> > Now you have got it going, and the solution is fresh in your mind, >>>> how >>>>>>> > about adding a How-to page on this solution to the FreeIPA wiki? >>>>>>> > >>>>>>> > Chris >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > From: Youenn PIOLET <[email protected]> >>>>>>> > To: "Matt ." <[email protected]> >>>>>>> > Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>>>>>> > "[email protected]" <[email protected]> >>>>>>> > Date: 05.08.2015 14:51 >>>>>>> > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >> against >>>>> IPA >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > Hi guys, >>>>>>> > >>>>>>> > Thank you so much your previous answers. >>>>>>> > I realised my SID were stored in ipaNTsecurityidentifier, thanks > to >>>>>>> > ipa-adtrust-install --add-sids >>>>>>> > >>>>>>> > I found an other way to configure smb here: >>>>>>> > >>>>>>> > >>>>> >>>> >>> >> > http://freeipa-users.redhat.narkive.com/ez2uKpFS/authenticate-samba-3-or-4-with-freeipa > >> >>> >>>> >>>>> >>>>>>> > It works perfectly. >>>>>>> > >>>>>>> > I'm using module ipasam.so I have manually scp to the samba > server, >>>>>>> > Samba is set to use kerberos + ldapsam via this ipasam module. >>>>>>> > Following the instructions, I created a user role allowing service >>>>>>> > principal to read ipaNTHash value from the LDAP. >>>>>>> > ipaNTHash are generated each time a user changes his password. >>>>>>> > Authentication works perfectly on Windows 7, 8 and 10. >>>>>>> > >>>>>>> > For more details, the previously linked thread is quite clear. >>>>>>> > >>>>>>> > Cheers >>>>>>> > >>>>>>> > -- >>>>>>> > Youenn Piolet >>>>>>> > [email protected] >>>>>>> > >>>>>>> > >>>>>>> > 2015-08-05 11:10 GMT+02:00 Matt . <[email protected]>: >>>>>>> > Hi Chris. >>>>>>> > >>>>>>> > Yes, Apache Studio did that but I was not sure why it complained >>> it >>>>>>> > was "already" there. >>>>>>> > >>>>>>> > I'm still getting: >>>>>>> > >>>>>>> > IPA Error 4205: ObjectclassViolation >>>>>>> > >>>>>>> > missing attribute "sambaGroupType" required by object class >>>>>>> > "sambaGroupMapping" >>>>>>> > >>>>>>> > When adding a user. >>>>>>> > >>>>>>> > I also see "class" as fielname under my "Last name", this is not >>> OK >>>>>>> > also. >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > We sure need to make some howto, I think we can nail this > down :) >>>>>>> > >>>>>>> > Thanks for the heads up! >>>>>>> > >>>>>>> > Matthijs >>>>>>> > >>>>>>> > 2015-08-05 7:51 GMT+02:00 Christopher Lamb >>>>>>> > <[email protected]>: >>>>>>> > > Hi Matt >>>>>>> > > >>>>>>> > > If I use Apache Directory Studio to add an attribute >>>>> ipaCustomFields >>>>>>> > to >>>>>>> > > cn=ipaConfig,cn=etc, the operation it performs is a modify, as >>>>> shown >>>>>>> > below: >>>>>>> > > >>>>>>> > > #!RESULT OK >>>>>>> > > #!CONNECTION ldap://xxx-ldap2.my.silly.example.com:yyy >>>>>>> > > #!DATE 2015-08-05T05:45:04.608 >>>>>>> > > dn: cn=ipaConfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>> > > changetype: modify >>>>>>> > > add: ipaCustomFields >>>>>>> > > ipaCustomFields: Samba Group Type,sambagrouptype,true >>>>>>> > > >>>>>>> > > After that I then have a visible attribute ipaCustomFields as >>>>>>> > expected. >>>>>>> > > >>>>>>> > > When adding the attribute, the wizard offered me >>>> "ipaCustomFields" >>>>>>> > as >>>>>>> > > attribute type in a drop down list. >>>>>>> > > >>>>>>> > > Once we get this cracked, we really must write a how-to on the >>>>>>> > FreeIPA >>>>>>> > > Wiki. >>>>>>> > > >>>>>>> > > Chris >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > From: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>> > > To: "Matt ." <[email protected]> >>>>>>> > > Cc: "[email protected]" <[email protected]> >>>>>>> > > Date: 05.08.2015 07:31 >>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>> against >>>>>>> > IPA >>>>>>> > > Sent by: [email protected] >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > Hi Matt >>>>>>> > > >>>>>>> > > I also got the same result at that step, but can see nothing > in >>>>>>> > Apache >>>>>>> > > Directory Studio. >>>>>>> > > >>>>>>> > > As I am using existing Samba / FreeIPA groups migrated across, >>>>> they >>>>>>> > > probably were migrated with all the required attributes. >>>>>>> > > >>>>>>> > > Looking more closely at that LDIF: I wonder should it not be: >>>>>>> > > >>>>>>> > > ldapmodify -Y GSSAPI <<EOF >>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> > > changetype: modify >>>>>>> > > add: ipaCustomFields >>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> > > EOF >>>>>>> > > >>>>>>> > > i.e. changetype: modify, instead of changetype add ? >>>>>>> > > >>>>>>> > > I don't want to play around with my prod directory - I will >>> setup >>>>> an >>>>>>> > EL >>>>>>> > 7.1 >>>>>>> > > VM and install FreeIPA 4.x and Samba 4.x That will allow me to >>>>> play >>>>>>> > around >>>>>>> > > more destructively. >>>>>>> > > >>>>>>> > > Chris >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > From: "Matt ." <[email protected]> >>>>>>> > > To: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>> > > Cc: Youenn PIOLET <[email protected]>, " >>>>>>> > [email protected]" >>>>>>> > > <[email protected]> >>>>>>> > > Date: 05.08.2015 01:01 >>>>>>> > > Subject: Re: [Freeipa-users] Ubuntu Samba >> Server >>>>>>> > Auth >>>>>>> > against IPA >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > Hi Chris, >>>>>>> > > >>>>>>> > > I'm at the right path, but my issue is that: >>>>>>> > > >>>>>>> > > ldapmodify -Y GSSAPI <<EOF >>>>>>> > > dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>>> > > changetype: add >>>>>>> > > add: ipaCustomFields >>>>>>> > > ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> > > EOF >>>>>>> > > >>>>>>> > > Does say it exists, my ldap explorer doesn't show it, and when >> I >>>>> add >>>>>>> > > it manually as an attribute it still fails when I add a user > on >>>>> this >>>>>>> > > sambagrouptype as it's needed by the other attributes >>>>>>> > > >>>>>>> > > So that is my issue I think so far. >>>>>>> > > >>>>>>> > > Any clue about that ? >>>>>>> > > >>>>>>> > > No problem "you don't know something or are no guru" we are > all >>>>>>> > > learning! :) >>>>>>> > > >>>>>>> > > Cheers, >>>>>>> > > >>>>>>> > > Matt >>>>>>> > > >>>>>>> > > >>>>>>> > > 2015-08-04 21:22 GMT+02:00 Christopher Lamb < >>>>>>> > [email protected]>: >>>>>>> > >> Hi Matt, Youeen >>>>>>> > >> >>>>>>> > >> Just to set the background properly, I did not invent this >>>>> process. >>>>>>> > I >>>>>>> > > know >>>>>>> > >> only a little about FreeIPA, and almost nothing about Samba, >>> but >>>>> I >>>>>>> > guess >>>>>>> > > I >>>>>>> > >> was lucky enough to get the integration working on a Sunday >>>>>>> > afternoon. >>>>>>> > (I >>>>>>> > >> did have an older FreeIPA 3.x / Samba 3.x installation as a >>>>>>> > reference). >>>>>>> > >> >>>>>>> > >> It sounds like we need to step back, and look at the test > user >>>>> and >>>>>>> > group >>>>>>> > > in >>>>>>> > >> the FreeIPA LDAP tree. I find using an LDAP browser makes > this >>>>> much >>>>>>> > > easier. >>>>>>> > >> >>>>>>> > >> My FreeIPA / Samba Users have the following Samba extensions >> in >>>>>>> > FreeIPA >>>>>>> > >> (cn=accounts, cn=users): >>>>>>> > >> >>>>>>> > >> * objectClass: sambasamaccount >>>>>>> > >> >>>>>>> > >> * Attributes: sambaSID, sambaNTPassword, sambaPwdLastSet >>>>>>> > >> >>>>>>> > >> My FreeIPA / Samba Groups have the following Samba extensions >>> in >>>>>>> > FreeIPA >>>>>>> > >> (cn=accounts, cn=groups): >>>>>>> > >> >>>>>>> > >> * objectClass: sambaGroupMapping >>>>>>> > >> >>>>>>> > >> * Attributes: sambaGroupType, sambaSID >>>>>>> > >> >>>>>>> > >> The Users must belong to one or more of the samba groups that >>>> you >>>>>>> > have >>>>>>> > >> setup. >>>>>>> > >> >>>>>>> > >> If you don't have something similar to the above (which > sounds >>>>> like >>>>>>> > it >>>>>>> > is >>>>>>> > >> the case), then something went wrong applying the extensions. >>> It >>>>>>> > would >>>>>>> > be >>>>>>> > >> worth testing comparing a new user / group created post > adding >>>>> the >>>>>>> > >> extensions to a previous existing user. >>>>>>> > >> >>>>>>> > >> i.e. >>>>>>> > >> are the extensions missing on existing users / groups? >>>>>>> > >> are the extensions missing on new users / groups? >>>>>>> > >> >>>>>>> > >> Cheers >>>>>>> > >> >>>>>>> > >> Chris >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> From: Youenn PIOLET <[email protected]> >>>>>>> > >> To: "Matt ." <[email protected]> >>>>>>> > >> Cc: Christopher Lamb/Switzerland/IBM@IBMCH, >>>>>>> > >> "[email protected]" >>>> <[email protected]> >>>>>>> > >> Date: 04.08.2015 18:56 >>>>>>> > >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth >>>>>>> > against >>>>>>> > IPA >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> Hi there, >>>>>>> > >> >>>>>>> > >> I have difficulties to follow you at this point :) >>>>>>> > >> Here is what I've done and what I've understood: >>>>>>> > >> >>>>>>> > >> ## SMB Side >>>>>>> > >> - Testparm OK >>>>>>> > >> - I've got the same NT_STATUS_NO_SUCH_USER when I try to >>>> connect. >>>>>>> > >> - pdbedit -Lv output is all successfull but I can see there > is >>> a >>>>>>> > filter : >>>>>>> > >> (&(uid=*)(objectclass=sambaSamAccount). In LDAP, the users >>> don't >>>>>>> > have >>>>>>> > >> sambaSamAccount. >>>>>>> > >> >>>>>>> > >> ## LDAP / FreeIPA side >>>>>>> > >> - Since SMB server uses LDAP, I did ipa-adtrust-install on my >>>>>>> > FreeIPA >>>>>>> > >> server to get samba LDAP extensions. >>>>>>> > >> - I can see samba classes exist in LDAP but are not used on > my >>>>>>> > group >>>>>>> > >> objects nor my user objects >>>>>>> > >> - I have add sambaSamAccount in FreeIPA default user classes, >>>>>>> > >> and sambaGroupMapping to default group classes. In that state >> I >>>>>>> > can't >>>>>>> > >> create user nor groups anymore, as new samba attributes are >>>>> needed >>>>>>> > for >>>>>>> > >> instantiation. >>>>>>> > >> - I have add in etc ipaCustomFields: 'Samba Group >>>>>>> > > Type,sambagrouptype,true' >>>>>>> > >> but I don't get what it does. >>>>>>> > >> - I tried to add the samba.js plugin. It works, and adds the >>>>>>> > "local" >>>>>>> > > option >>>>>>> > >> when creating a group in FreeIPA, supposed to set >>> sambagrouptype >>>>> to >>>>>>> > 4 >>>>>>> > or >>>>>>> > > 2 >>>>>>> > >> (domain). It doesn't work and tells that sambagrouptype >>>> attribute >>>>>>> > doesn't >>>>>>> > >> exist (but it should now I put sambaGroupType class by >>>>> default...) >>>>>>> > >> >>>>>>> > >> ## Questions >>>>>>> > >> 0) Can I ask samba not to search sambaSamAccount and use >> unix / >>>>>>> > posix >>>>>>> > >> instead? I guess no. >>>>>>> > >> 1) How to generate the user/group SIDs ? They are requested > to >>>>> add >>>>>>> > >> sambaSamAccount classes. >>>>>>> > >> This article doesn't seem relevant since we don't use domain >>>>>>> > controller >>>>>>> > >> >>>>>>> > > >>>>>>> > >>>>>>> > >>>>> >>>> >>> >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html >>>>>>> > >>>>>>> > >> and netgetlocalsid returns an error. >>>>>>> > >> 2) How to fix samba.js plugin? >>>>>>> > >> 3) I guess an equivalent of samba.js is needed for user >>>> creation, >>>>>>> > where >>>>>>> > > can >>>>>>> > >> I find it? >>>>>>> > >> 4) Is your setup working with Windows 8 / Windows 10 and not >>>> only >>>>>>> > Windows >>>>>>> > >> 7? >>>>>>> > >> >>>>>>> > >> Thanks a lot for your previous and future answers >>>>>>> > >> >>>>>>> > >> -- >>>>>>> > >> Youenn Piolet >>>>>>> > >> [email protected] >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> 2015-08-04 17:55 GMT+02:00 Matt . <[email protected]>: >>>>>>> > >> Hi, >>>>>>> > >> >>>>>>> > >> Yes, log is anonymised. >>>>>>> > >> >>>>>>> > >> It's strange, my user doesn't have a SambaPwdLastSet, also >>>> when >>>>> I >>>>>>> > >> change it's password it doesn't get it in ldap. >>>>>>> > >> >>>>>>> > >> There must be something going wrong I guess. >>>>>>> > >> >>>>>>> > >> Matt >>>>>>> > >> >>>>>>> > >> 2015-08-04 17:45 GMT+02:00 Christopher Lamb >>>>>>> > > <[email protected] >>>>>>> > >> >: >>>>>>> > >> > Hi Matt >>>>>>> > >> > >>>>>>> > >> > I assume [username] is a real username, identical to that >>> in >>>>>>> > the >>>>>>> > >> FreeIPA >>>>>>> > >> > cn=accounts, cn=users tree? (i.e. you anonymised the log >>>>>>> > extract). >>>>>>> > >> > >>>>>>> > >> > You user should be a member of the appropriate samba >> groups >>>>>>> > that >>>>>>> > you >>>>>>> > >> setup >>>>>>> > >> > in FreeIPA. >>>>>>> > >> > >>>>>>> > >> > You should check that the user attribute SambaPwdLastSet >> is >>>>> set >>>>>>> > to >>>>>>> > a >>>>>>> > >> > positive value (e.g. 1). If not you get an error in the >>>> Samba >>>>>>> > logs >>>>>>> > - >>>>>>> > > I >>>>>>> > >> > would need to play around again with a test user to find >>> out >>>>>>> > the >>>>>>> > > exact >>>>>>> > >> > error. >>>>>>> > >> > >>>>>>> > >> > I don't understand what you mean about syncing the users >>>>> local, >>>>>>> > but >>>>>>> > > we >>>>>>> > >> did >>>>>>> > >> > not need to do anything like that. >>>>>>> > >> > >>>>>>> > >> > Chris >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > From: "Matt ." <[email protected]> >>>>>>> > >> > To: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>> > >> > Cc: "[email protected]" >>>> <[email protected]> >>>>>>> > >> > Date: 04.08.2015 15:33 >>>>>>> > >> > Subject: Re: [Freeipa-users] Ubuntu Samba Server >>> Auth >>>>>>> > against >>>>>>> > >> IPA >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > Hi Chris, >>>>>>> > >> > >>>>>>> > >> > A puppet run added another passdb backend, that was >> causing >>>>> my >>>>>>> > issue. >>>>>>> > >> > >>>>>>> > >> > What I still experience is: >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > [2015/08/04 15:29:45.477783, 3] >>>>>>> > >> > ../source3/auth/check_samsec.c:399(check_sam_security) >>>>>>> > >> > check_sam_security: Couldn't find user 'username' in >>>>> passdb. >>>>>>> > >> > [2015/08/04 15:29:45.478026, 2] >>>>>>> > >> > ../source3/auth/auth.c:288(auth_check_ntlm_password) >>>>>>> > >> > check_ntlm_password: Authentication for user > [username] >>>> -> >>>>>>> > >> > [username] FAILED with error NT_STATUS_NO_SUCH_USER >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > I also wonder if I shall still sync the users local, or > is >>>> it >>>>>>> > > needed ? >>>>>>> > >> > >>>>>>> > >> > Thanks again, >>>>>>> > >> > >>>>>>> > >> > Matt >>>>>>> > >> > >>>>>>> > >> > 2015-08-04 14:16 GMT+02:00 Christopher Lamb < >>>>>>> > >> [email protected]>: >>>>>>> > >> >> Hi Matt >>>>>>> > >> >> >>>>>>> > >> >> From our smb.conf file: >>>>>>> > >> >> >>>>>>> > >> >> [global] >>>>>>> > >> >> security = user >>>>>>> > >> >> passdb backend = >>>>>>> > ldapsam:ldap://xxx-ldap2.my.silly.example.com >>>>>>> > >> >> ldap suffix = dc=my,dc=silly,dc=example,dc=com >>>>>>> > >> >> ldap admin dn = cn=Directory Manager >>>>>>> > >> >> >>>>>>> > >> >> So yes, we use Directory Manager, it works for us. I > have >>>>> not >>>>>>> > tried >>>>>>> > >> with >>>>>>> > >> > a >>>>>>> > >> >> less powerful user, but it is conceivable that a lesser >>>> user >>>>>>> > may >>>>>>> > not >>>>>>> > >> see >>>>>>> > >> >> all the required attributes, resulting in "no such user" >>>>>>> > errors. >>>>>>> > >> >> >>>>>>> > >> >> Chris >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> From: "Matt ." <[email protected]> >>>>>>> > >> >> To: Christopher Lamb/Switzerland/IBM@IBMCH >>>>>>> > >> >> Cc: "[email protected]" >>>>> <[email protected]> >>>>>>> > >> >> Date: 04.08.2015 13:32 >>>>>>> > >> >> Subject: Re: [Freeipa-users] Ubuntu Samba Server >>>> Auth >>>>>>> > against >>>>>>> > >> IPA >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> Hi Chris, >>>>>>> > >> >> >>>>>>> > >> >> Thanks for the heads up, indeed local is 4 I see now > when >>> I >>>>>>> > add a >>>>>>> > >> >> group from the GUI, great thanks! >>>>>>> > >> >> >>>>>>> > >> >> But do you use Directory Manager as ldap admin user or >>> some >>>>>>> > other >>>>>>> > >> >> admin account ? >>>>>>> > >> >> >>>>>>> > >> >> I'm not sure id DM is needed and it should get that deep >>>>> into >>>>>>> > IPA. >>>>>>> > >> >> Also when starting samba it cannot find "such user" as >>> that >>>>>>> > sounds >>>>>>> > >> >> quite known as it has no UID. >>>>>>> > >> >> >>>>>>> > >> >> From your config I see you use DM, this should work ? >>>>>>> > >> >> >>>>>>> > >> >> Thanks! >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> >> Matt >>>>>>> > >> >> >>>>>>> > >> >> >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> > >>>>>>> > >> >>>>>>> > >> -- >>>>>>> > >> Manage your subscription for the Freeipa-users mailing > list: >>>>>>> > >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> > >> Go to http://freeipa.org for more info on the project >>>>>>> > >> >>>>>>> > >> >>>>>>> > >> >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > -- >>>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> > > Go to http://freeipa.org for more info on the project >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > >>>>>>> > -- >>>>>>> > Manage your subscription for the Freeipa-users mailing list: >>>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> > Go to http://freeipa.org for more info on the project >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
