Same result... ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th ipaNTHash Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=casalogic,dc=lan> (default) with scope subtree # filter: uid=th # requesting: ipaNTHash #
# th, users, compat, casalogic.lan dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan # th, users, accounts, casalogic.lan dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll <[email protected]> wrote: > What about as directory manager? > --Joshua D Doll > On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < [email protected] > wrote: >> I should think so: >> On IPA server. >> ipa role-show 'CIFS server' >> Role name: CIFS server >> Privileges: CIFS server privilege >> Member services: cifs/[email protected] >> ipa privilege-show 'CIFS server privilege' >> Privilege name: CIFS server privilege >> Permissions: CIFS test, CIFS server can read user passwords >> Granting privilege to roles: CIFS server >> ipa permission-show 'CIFS server can read user passwords' >> Permission name: CIFS server can read user passwords >> Granted rights: read, search, compare >> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier >> Bind rule type: permission >> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan >> Type: user >> Granted to Privilege: CIFS server privilege >> Indirect Member of roles: CIFS server >> ipa-getkeytab -s kenai.casalogic.lan -p >> cifs/[email protected] -k /tmp/samba.keytab >> samba.keytab copied to samba server. >> on samba server (tinkerbell): >> kdestroy -A >> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan >> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash >> SASL/GSSAPI authentication started >> SASL username: cifs/[email protected] >> SASL SSF: 56 >> SASL data security layer installed. >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=casalogic,dc=lan> (default) with scope subtree >> # filter: uid=th >> # requesting: ipaNTHash >> # >> # th, users, compat, casalogic.lan >> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >> # th, users, accounts, casalogic.lan >> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >> # search result >> search: 4 >> result: 0 Success >> # numResponses: 3 >> # numEntries: 2 >> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < [email protected] > >> wrote: >>> Are you using the correct principal for the ldapsearch? Did you grant it >>> permissions to view those attributes? >>> --Joshua D Doll >>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < [email protected] > wrote: >>>> Hmm, weird. >>>> I ran ipa-adtrust-install and it says it said it had user without SID's, >>>> and I >>>> told it to generete SID's. >>>> However, I still can't see them on the user. >>>> a IPA-db doesn't reveal them being generated and I can't look them up via >>>> LDAP. >>>> ldapsearch -Y GSSAPI uid=th ipaNTHash >>>> ....... >>>> # th, users, compat, casalogic.lan >>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >>>> # th, users, accounts, casalogic.lan >>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >>>> ..... >>>> Samba however starts fine now, but unable to find any users: >>>> pdbedit -Lv >>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain >>>> casalogic.lan >>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < [email protected] > >>>> wrote: >>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to run >>>>> the >>>>> ipa-adtrust-install --add-sids, even though I was not setting up a trust. >>>>> It >>>>> would be nice if there was a way to generate these values another way, >>>>> maybe >>>>> there is but I missed it. >>>>> --Joshua D Doll >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> -- >> Med venlig hilsen >> Troels Hansen >> Systemkonsulent >> Casalogic A/S >> T (+45) 70 20 10 63 >> M (+45) 22 43 71 57 >> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og >> meget mere. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
