Well, I think the problem here being that I miss the attributes. One "funny" thing being that apprently, some users have had ipantuserattrs objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including mine). Tried adding a new user, just to test, and this gets created with a ipaNTSecurityIdentifier, however, my old users still don't. I guess I jute need a way to have IPA add ipantuserattrs and ipaNTSecurityIdentifier to my existing users.
when running ipa-adtrust-install it finds 85 users without SID, and I install the SID plugin (which is just 2 LDIF's), but this still doesn't do anything. ----- On Oct 29, 2015, at 8:16 PM, Joshua Doll <[email protected]> wrote: > Hmm.. well I'm at a loss then. I had to only run the ipa-adtrust-install > --add-sids. I did notice when I was setting this up recently that I had to run > the adtrust-install command whenever I added new users or groups. I don't know > if it was just me being impatient or a limitation. Another thing I noticed > that > is different between our two setups is I couldn't get this setup to work on a > separate host, I am running samba on the same host as my ipa service. > --Joshua D Doll > On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < [email protected] > wrote: >> Same result... >> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th >> ipaNTHash >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=casalogic,dc=lan> (default) with scope subtree >> # filter: uid=th >> # requesting: ipaNTHash >> # >> # th, users, compat, casalogic.lan >> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >> # th, users, accounts, casalogic.lan >> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >> # search result >> search: 2 >> result: 0 Success >> # numResponses: 3 >> # numEntries: 2 >> ----- On Oct 29, 2015, at 7:45 PM, Joshua Doll < [email protected] > >> wrote: >>> What about as directory manager? >>> --Joshua D Doll >>> On Thu, Oct 29, 2015 at 2:43 PM Troels Hansen < [email protected] > wrote: >>>> I should think so: >>>> On IPA server. >>>> ipa role-show 'CIFS server' >>>> Role name: CIFS server >>>> Privileges: CIFS server privilege >>>> Member services: cifs/[email protected] >>>> ipa privilege-show 'CIFS server privilege' >>>> Privilege name: CIFS server privilege >>>> Permissions: CIFS test, CIFS server can read user passwords >>>> Granting privilege to roles: CIFS server >>>> ipa permission-show 'CIFS server can read user passwords' >>>> Permission name: CIFS server can read user passwords >>>> Granted rights: read, search, compare >>>> Effective attributes: ipaNTHash, ipaNTSecurityIdentifier >>>> Bind rule type: permission >>>> Subtree: cn=users,cn=accounts,dc=casalogic,dc=lan >>>> Type: user >>>> Granted to Privilege: CIFS server privilege >>>> Indirect Member of roles: CIFS server >>>> ipa-getkeytab -s kenai.casalogic.lan -p >>>> cifs/[email protected] -k /tmp/samba.keytab >>>> samba.keytab copied to samba server. >>>> on samba server (tinkerbell): >>>> kdestroy -A >>>> kinit -kt /etc/samba/samba.keytab cifs/tinkerbell.casalogic.lan >>>> ldapsearch -h kenai.casalogic.lan -Y GSSAPI uid=th ipaNTHash >>>> SASL/GSSAPI authentication started >>>> SASL username: cifs/[email protected] >>>> SASL SSF: 56 >>>> SASL data security layer installed. >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <dc=casalogic,dc=lan> (default) with scope subtree >>>> # filter: uid=th >>>> # requesting: ipaNTHash >>>> # >>>> # th, users, compat, casalogic.lan >>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >>>> # th, users, accounts, casalogic.lan >>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >>>> # search result >>>> search: 4 >>>> result: 0 Success >>>> # numResponses: 3 >>>> # numEntries: 2 >>>> ----- On Oct 29, 2015, at 3:27 PM, Joshua Doll < [email protected] > >>>> wrote: >>>>> Are you using the correct principal for the ldapsearch? Did you grant it >>>>> permissions to view those attributes? >>>>> --Joshua D Doll >>>>> On Thu, Oct 29, 2015 at 9:14 AM Troels Hansen < [email protected] > wrote: >>>>>> Hmm, weird. >>>>>> I ran ipa-adtrust-install and it says it said it had user without SID's, >>>>>> and I >>>>>> told it to generete SID's. >>>>>> However, I still can't see them on the user. >>>>>> a IPA-db doesn't reveal them being generated and I can't look them up >>>>>> via LDAP. >>>>>> ldapsearch -Y GSSAPI uid=th ipaNTHash >>>>>> ....... >>>>>> # th, users, compat, casalogic.lan >>>>>> dn: uid=th,cn=users,cn=compat,dc=casalogic,dc=lan >>>>>> # th, users, accounts, casalogic.lan >>>>>> dn: uid=th,cn=users,cn=accounts,dc=casalogic,dc=lan >>>>>> ..... >>>>>> Samba however starts fine now, but unable to find any users: >>>>>> pdbedit -Lv >>>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain >>>>>> casalogic.lan >>>>>> ----- On Oct 27, 2015, at 3:46 PM, Joshua Doll < [email protected] > >>>>>> wrote: >>>>>>> To get the ipaNTHash and ipaNTSecurityIdentifier attributes, I had to >>>>>>> run the >>>>>>> ipa-adtrust-install --add-sids, even though I was not setting up a >>>>>>> trust. It >>>>>>> would be nice if there was a way to generate these values another way, >>>>>>> maybe >>>>>>> there is but I missed it. >>>>>>> --Joshua D Doll >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> -- >>>> Med venlig hilsen >>>> Troels Hansen >>>> Systemkonsulent >>>> Casalogic A/S >>>> T (+45) 70 20 10 63 >>>> M (+45) 22 43 71 57 >>>> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos >>>> og >>>> meget mere. >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> -- >> Med venlig hilsen >> Troels Hansen >> Systemkonsulent >> Casalogic A/S >> T (+45) 70 20 10 63 >> M (+45) 22 43 71 57 >> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og >> meget mere. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
