I should think so: On IPA server.
ipa role-show 'CIFS server' Role name: CIFS server Privileges: CIFS server privilege Member services: cifs/[email protected] ipa privilege-show 'CIFS server privilege' Privilege name: CIFS server privilege Permissions: CIFS test, CIFS server can read user passwords Granting privilege to roles: CIFS server ipa permission-show 'CIFS server can read user passwords' Permission name: CIFS server can read user passwords Granted rights: read, search, compare Effective attributes: ipaNTHash, ipaNTSecurityIdentifier Bind rule type: permission Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan Type: user Granted to Privilege: CIFS server privilege Indirect Member of roles: CIFS server ipa-getkeytab -s kenai.casalogic.lan -p cifs/[email protected] -k /tmp/samba.keytab samba.keytab copied to samba server. on samba server (tinkerbell): kdestroy -A kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash SASL/GSSAPI authentication started SASL username: cifs/[email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=casalogic,dc=lan> (default) with scope subtree # filter: uid=th # requesting: ipaNTHash # # th, users, compat, casalogic.lan dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan # th, users, accounts, casalogic.lan dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <[email protected]> wrote: Are you using the correct principal for the ldapsearch? Did you grant it permissions to view those attributes? --Joshua D Doll On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < [email protected] > wrote: BQ_BEGIN Hmm, weird. I ran ipa-adtrust-install and it says it said it had user without SID's, and I told it to generete SID's. However, I still can't see them on the user. a IPA-db doesn't reveal them being generated and I can't look them up via LDAP. ldapsearch -Y GSSAPI uid=th ipaNTHash ....... # th, users, compat, casalogic.lan dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan # th, users, accounts, casalogic.lan dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan ..... Samba however starts fine now, but unable to find any users: pdbedit -Lv pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain casalogic.lan ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < [email protected] > wrote: BQ_BEGIN To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run the ipa-adtrust-install --add-sids, even though I was not setting up a trust. It would be nice if there was a way to generate these values another way, maybe there is but I missed it. --Joshua D Doll -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project BQ_END -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project BQ_END -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
