Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install --add-sids. I did notice when I was setting this up recently that I had to run the adtrust-install command whenever I added new users or groups. I don't know if it was just me being impatient or a limitation. Another thing I noticed that is different between our two setups is I couldn't get this setup to work on a separate host, I am running samba on the same host as my ipa service.
--Joshua D Doll On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen <[email protected]> wrote: > Same result... > > ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th > ipaNTHash > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=casalogic,dc=lan> (default) with scope subtree > # filter: uid=th > # requesting: ipaNTHash > # > > # th, users, compat, casalogic.lan > dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan > > # th, users, accounts, casalogic.lan > dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan > > # search result > search: 2 > > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll <[email protected]> > wrote: > > What about as directory manager? > > --Joshua D Doll > > On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen <[email protected]> wrote: > >> I should think so: >> >> On IPA server. >> >> ipa role-show 'CIFS server' >> Role name: CIFS server >> Privileges: CIFS server privilege >> Member services: cifs/[email protected] >> >> ipa privilege-show 'CIFS server privilege' >> Privilege name: CIFS server privilege >> Permissions: CIFS test, CIFS server can read user passwords >> Granting privilege to roles: CIFS server >> >> ipa permission-show 'CIFS server can read user passwords' >> Permission name: CIFS server can read user passwords >> Granted rights: read, search, compare >> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier >> Bind rule type: permission >> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan >> Type: user >> Granted to Privilege: CIFS server privilege >> Indirect Member of roles: CIFS server >> >> ipa-getkeytab -s kenai.casalogic.lan -p >> cifs/[email protected] -k /tmp/samba.keytab >> >> samba.keytab copied to samba server. >> >> on samba server (tinkerbell): >> kdestroy -A >> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan >> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash >> >> SASL/GSSAPI authentication started >> SASL username: cifs/[email protected] >> SASL SSF: 56 >> SASL data security layer installed. >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=casalogic,dc=lan> (default) with scope subtree >> # filter: uid=th >> # requesting: ipaNTHash >> # >> >> >> # th, users, compat, casalogic.lan >> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >> >> # th, users, accounts, casalogic.lan >> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >> >> # search result >> search: 4 >> result: 0 Success >> >> # numResponses: 3 >> # numEntries: 2 >> >> >> >> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll <[email protected]> >> wrote: >> >> Are you using the correct principal for the ldapsearch? Did you grant it >> permissions to view those attributes? >> --Joshua D Doll >> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen <[email protected]> wrote: >> >>> Hmm, weird. >>> I ran ipa-adtrust-install and it says it said it had user without SID's, >>> and I told it to generete SID's. >>> However, I still can't see them on the user. >>> a IPA-db doesn't reveal them being generated and I can't look them up >>> via LDAP. >>> >>> ldapsearch -Y GSSAPI uid=th ipaNTHash >>> ....... >>> # th, users, compat, casalogic.lan >>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >>> >>> # th, users, accounts, casalogic.lan >>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >>> >>> ..... >>> >>> Samba however starts fine now, but unable to find any users: >>> pdbedit -Lv >>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain >>> casalogic.lan >>> >>> >>> >>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll <[email protected]> >>> wrote: >>> >>> >>> >>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to >>> run the ipa-adtrust-install --add-sids, even though I was not setting up a >>> trust. It would be nice if there was a way to generate these values another >>> way, maybe there is but I missed it. >>> >>> --Joshua D Doll >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> -- >> >> Med venlig hilsen >> >> *Troels Hansen* >> >> Systemkonsulent >> >> Casalogic A/S >> >> T (+45) 70 20 10 63 >> >> M (+45) 22 43 71 57 >> <http://www.casalogic.dk/signatur/th.vcf> >> <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic> >> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos >> og meget mere. >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- > > Med venlig hilsen > > *Troels Hansen* > > Systemkonsulent > > Casalogic A/S > > T (+45) 70 20 10 63 > > M (+45) 22 43 71 57 > <http://www.casalogic.dk/signatur/th.vcf> > <http://www.linkedin.com/company/67524> <http://twitter.com/casalogic> > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos > og meget mere. >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
