What about as directory manager? --Joshua D Doll
On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen <[email protected]> wrote: > I should think so: > > On IPA server. > > ipa role-show 'CIFS server' > Role name: CIFS server > Privileges: CIFS server privilege > Member services: cifs/[email protected] > > ipa privilege-show 'CIFS server privilege' > Privilege name: CIFS server privilege > Permissions: CIFS test, CIFS server can read user passwords > Granting privilege to roles: CIFS server > > ipa permission-show 'CIFS server can read user passwords' > Permission name: CIFS server can read user passwords > Granted rights: read, search, compare > Effective attributes: ipaNTHash, ipaNTSecurityIdentifier > Bind rule type: permission > Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan > Type: user > Granted to Privilege: CIFS server privilege > Indirect Member of roles: CIFS server > > ipa-getkeytab -s kenai.casalogic.lan -p > cifs/[email protected] -k /tmp/samba.keytab > > samba.keytab copied to samba server. > > on samba server (tinkerbell): > kdestroy -A > kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan > ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash > > SASL/GSSAPI authentication started > SASL username: cifs/[email protected] > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <dc=casalogic,dc=lan> (default) with scope subtree > # filter: uid=th > # requesting: ipaNTHash > # > > > # th, users, compat, casalogic.lan > dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan > > # th, users, accounts, casalogic.lan > dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan > > # search result > search: 4 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > > > ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <[email protected]> > wrote: > > Are you using the correct principal for the ldapsearch? Did you grant it > permissions to view those attributes? > --Joshua D Doll > On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen <[email protected]> wrote: > >> Hmm, weird. >> I ran ipa-adtrust-install and it says it said it had user without SID's, >> and I told it to generete SID's. >> However, I still can't see them on the user. >> a IPA-db doesn't reveal them being generated and I can't look them up via >> LDAP. >> >> ldapsearch -Y GSSAPI uid=th ipaNTHash >> ....... >> # th, users, compat, casalogic.lan >> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >> >> # th, users, accounts, casalogic.lan >> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >> >> ..... >> >> Samba however starts fine now, but unable to find any users: >> pdbedit -Lv >> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain >> casalogic.lan >> >> >> >> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll <[email protected]> >> wrote: >> >> >> >> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run >> the ipa-adtrust-install --add-sids, even though I was not setting up a >> trust. It would be nice if there was a way to generate these values another >> way, maybe there is but I missed it. >> >> --Joshua D Doll >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- > > Med venlig hilsen > > *Troels Hansen* > > Systemkonsulent > > Casalogic A/S > > T (+45) 70 20 10 63 > > M (+45) 22 43 71 57 > <http://www.casalogic.dk/signatur/th.vcf> > <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic> > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos > og meget mere. >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
