Discussion:
[Freeipa-users] FreeIPA and Samba
Степаненко Алексей
2016-10-06 16:23:32 UTC
Permalink
Hello.

I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

If I understand clearly, samba's client must be present in FreeIPA AD.
Unfortunately, it does not work for me. I can't join some work desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support

ldap admin dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap suffix
ldap user suffix

Does it work with IPA ?

Thanks.
--
With best regards.
Loris Santamaria
2016-10-06 17:31:26 UTC
Permalink
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.

What do you want to achieve with samba, and what is your current setup?
Post by Степаненко Алексей
Hello.
I've read the topic about FreeIPA and SAMBA 
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
h_IPA
If I understand clearly, samba's client must be present in
FreeIPA  AD. 
Unfortunately, it does not work for me. I can't join some work
desktops 
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has 
ldap support
         ldap admin dn
         ldap group suffix
         ldap idmap suffix
         ldap machine suffix
         ldap passwd sync
         ldap suffix
         ldap user suffix
Does it work with IPA ?
Thanks.
--
Loris Santamaria linux user #70506 xmpp:***@lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:***@lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
Степаненко Алексей
2016-10-06 20:51:09 UTC
Permalink
Thank you for your reply.

I've got Samba server for a company, accounts are created by hand.
Clients are different windows or linux desktops.

I want to install FreeIPA and have one area for managing accounts (SMB,
SSH-access for others servers). Now, I prepare clean samba installation
for testing. It would be great to use FreeIPA as authorization server
for samba.

I was looking for information about samba + freeIPA, but I found only
this document. Maybe, I miss obvious things.
Post by Loris Santamaria
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.
What do you want to achieve with samba, and what is your current setup?
Post by Степаненко Алексей
Hello.
I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
h_IPA
If I understand clearly, samba's client must be present in
FreeIPA AD.
Unfortunately, it does not work for me. I can't join some work desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support
ldap admin dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap suffix
ldap user suffix
Does it work with IPA ?
Thanks.
--
С уважеМОеЌ,
СтепаМеМкП Алексей,
РукПвПЎОтель группы ОМфПрЌацОПММых техМПлПгОй,
ООО "ГлПбал Веб Групп"
Сайт: http//gw.spb.ru
Тел.: +7 (812) 409-00-90
Степаненко Алексей
2016-10-10 20:35:20 UTC
Permalink
I read again the topic
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP
It works exactly as I wanted

ipa-adtrust-install created next configuration:

$ net conf list
[global]
workgroup = WORKGROUP
netbios name = SMB
realm = GW.SPB.RU
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=gw,dc=spb,dc=ru
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork

But I don't understand why it wasn't put to smb.conf directly.

The second problem is 'passdb backend'. I didn't find any documentation
about this module. An attempt to replace a file socket on net connection
was failed. And I had to make LDAP replication. It was easy, but "
ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap),
not only ldap-server. I need to continue to read documentation. However
the problem was solved.
Post by Степаненко Алексей
Thank you for your reply.
I've got Samba server for a company, accounts are created by hand.
Clients are different windows or linux desktops.
I want to install FreeIPA and have one area for managing accounts
(SMB, SSH-access for others servers). Now, I prepare clean samba
installation for testing. It would be great to use FreeIPA as
authorization server for samba.
I was looking for information about samba + freeIPA, but I found only
this document. Maybe, I miss obvious things.
Post by Loris Santamaria
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.
What do you want to achieve with samba, and what is your current setup?
Post by Степаненко Алексей
Hello.
I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
h_IPA
If I understand clearly, samba's client must be present in
FreeIPA AD.
Unfortunately, it does not work for me. I can't join some work desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support
ldap admin dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap suffix
ldap user suffix
Does it work with IPA ?
Thanks.
Alan Latteri
2016-10-10 21:35:02 UTC
Permalink
Nice, I think that page may also solve my problem. Going to try it soon.
I read again the topic http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP <http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP>
It works exactly as I wanted
$ net conf list
[global]
workgroup = WORKGROUP
netbios name = SMB
realm = GW.SPB.RU
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab <file:///etc/samba/samba.keytab>
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=gw,dc=spb,dc=ru
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
But I don't understand why it wasn't put to smb.conf directly.
The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved.
Post by Степаненко Алексей
Thank you for your reply.
I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops.
I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba.
I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things.
Post by Loris Santamaria
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.
What do you want to achieve with samba, and what is your current setup?
Post by Степаненко Алексей
Hello.
I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit <http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit>
h_IPA
If I understand clearly, samba's client must be present in
FreeIPA AD.
Unfortunately, it does not work for me. I can't join some work desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support
ldap admin dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap suffix
ldap user suffix
Does it work with IPA ?
Thanks.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alan Latteri
2016-10-12 00:43:21 UTC
Permalink
I am trying to get this to work, but our Samba server is not the same machine as out IPA server, and these instructions seem to assume that. Any ideas? All I need is the 1 windows machine in our network to be able to access our linux based server, using the same user/pass as that of our IPA authenticated linux machines.
I read again the topic http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP <http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP>
It works exactly as I wanted
$ net conf list
[global]
workgroup = WORKGROUP
netbios name = SMB
realm = GW.SPB.RU
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab <file:///etc/samba/samba.keytab>
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=gw,dc=spb,dc=ru
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
But I don't understand why it wasn't put to smb.conf directly.
The second problem is 'passdb backend'. I didn't find any documentation about this module. An attempt to replace a file socket on net connection was failed. And I had to make LDAP replication. It was easy, but " ipa-replica-prepare" installed whole IPA server (tomcat, java, ldap), not only ldap-server. I need to continue to read documentation. However the problem was solved.
Post by Степаненко Алексей
Thank you for your reply.
I've got Samba server for a company, accounts are created by hand. Clients are different windows or linux desktops.
I want to install FreeIPA and have one area for managing accounts (SMB, SSH-access for others servers). Now, I prepare clean samba installation for testing. It would be great to use FreeIPA as authorization server for samba.
I was looking for information about samba + freeIPA, but I found only this document. Maybe, I miss obvious things.
Post by Loris Santamaria
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.
What do you want to achieve with samba, and what is your current setup?
Post by Степаненко Алексей
Hello.
I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit <http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit>
h_IPA
If I understand clearly, samba's client must be present in
FreeIPA AD.
Unfortunately, it does not work for me. I can't join some work desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support
ldap admin dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap suffix
ldap user suffix
Does it work with IPA ?
Thanks.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loris Santamaria
2016-10-12 01:47:51 UTC
Permalink
If you just need to join a handful of windows machines to a freeIPA
domain, try with these instructions:

https://www.redhat.com/archives/freeipa-users/2013-September/msg00226.h
tml

Best regards 
Post by Alan Latteri
I am trying to get this to work, but our Samba server is not the same
machine as out IPA server, and these instructions seem to assume
that.  Any ideas?  All I need is the 1 windows machine in our network
to be able to access our linux based server, using the same user/pass
as that of our IPA authenticated linux machines.
  
    
  
  I read again the topic
      http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Se
rver_With_IPA/NTMLSSP
      It works exactly as I wanted ipa-adtrust-install created next
    
      
    
    $ net conf list
    [global]
            workgroup = WORKGROUP
            netbios name = SMB
            realm = GW.SPB.RU
            kerberos method = dedicated keytab
            dedicated keytab file = FILE:/etc/samba/samba.keytab
            create krb5 conf = no
            security = user
            domain master = yes
            domain logons = yes
            log level = 1
            max log size = 100000
            log file = /var/log/samba/log.%m
            passdb backend =
    ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
            disable spoolss = yes
            ldapsam:trusted = yes
            ldap ssl = off
            ldap suffix = dc=gw,dc=spb,dc=ru
            ldap user suffix = cn=users,cn=accounts
            ldap group suffix = cn=groups,cn=accounts
            ldap machine suffix = cn=computers,cn=accounts
            rpc_server:epmapper = external
            rpc_server:lsarpc = external
            rpc_server:lsass = external
            rpc_server:lsasd = external
            rpc_server:samr = external
            rpc_server:netlogon = external
            rpc_server:tcpip = yes
            rpc_daemon:epmd = fork
            rpc_daemon:lsasd = fork
    
    But I don't understand why it wasn't put to smb.conf directly.
    
    The second problem is 'passdb backend'. I didn't find any
    documentation about this module. An attempt to replace a file
socket
    on net connection was failed. And I had to make LDAP
replication. It
    was easy, but "
    
    ipa-replica-prepare" installed whole IPA server (tomcat, java,
    ldap), not only ldap-server. I need to continue to read
    documentation. However the problem was solved. 
    
    06.10.2016 23:51, СтепаМеМкП Алексей
    
Thank you for your reply. 
      
Post by Alan Latteri
      I've got Samba server for a company, accounts are created
by hand.
      Clients are different windows or linux desktops. 
      
Post by Alan Latteri
      I want to install FreeIPA and have one area for managing
accounts
Post by Alan Latteri
      (SMB, SSH-access for others servers). Now, I prepare clean
samba
Post by Alan Latteri
      installation for testing. It would be great to use FreeIPA
as
      authorization server for samba. 
      
Post by Alan Latteri
      I was looking for information about samba + freeIPA, but I
found
      only this document. Maybe, I miss obvious things. 
      
      
      06.10.2016 20:31, Loris Santamaria пОшет: 
The document you are linking to explains
        how to configure a samba file 
Post by Alan Latteri
        server in a freeipa domain, which is one of many ways
you can
        configure 
        and use a samba server. 
        
Post by Alan Latteri
        What do you want to achieve with samba, and what is
your current
        setup? 
        
        
Post by Alan Latteri
        El jue, 06-10-2016 a las 19:23 +0300, СтепаМеМкП
Алексей
        escribió: 
Post by Alan Latteri
Hello. 
          
          I've read the topic about FreeIPA and SAMBA 
          http://www.freeipa.org/page/Howto/Integrating_a_Sam
ba_File_Server_Wit
Post by Alan Latteri
          
          h_IPA 
          
          If I understand clearly, samba's client must be
present in 
Post by Alan Latteri
          FreeIPA  AD. 
          Unfortunately, it does not work for me. I can't
join some work
Post by Alan Latteri
          
          desktops 
          to AD. Is it possible to make Samba auth trough
LDAP IPA ?
Post by Alan Latteri
          Samba has 
          ldap support 
          
                    ldap admin dn 
                    ldap group suffix 
                    ldap idmap suffix 
                    ldap machine suffix 
                    ldap passwd sync 
                    ldap suffix 
                    ldap user suffix 
          
          Does it work with IPA ? 
          
          Thanks. 
          
      
      
      
      
    
  
-- 
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-- 
Loris Santamaria   linux user #70506   xmpp:***@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:***@lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
Aleksey Stepanenko
2016-10-12 08:22:52 UTC
Permalink
My Samba server and IPA server are different machines too. I made LDAP
replication IPA-SAMBA (
https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=6 ).
Unfortunately, it makes full replication (not only ldap-server), but it
works. My Windows machine are not joined to a domain.
Post by Alan Latteri
I am trying to get this to work, but our Samba server is not the same
machine as out IPA server, and these instructions seem to assume that.
Any ideas? All I need is the 1 windows machine in our network to be
able to access our linux based server, using the same user/pass as
that of our IPA authenticated linux machines.
On Oct 10, 2016, at 1:35 PM, СтепаМеМкП Алексей
I read again the topic
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP
It works exactly as I wanted
$ net conf list
[global]
workgroup = WORKGROUP
netbios name = SMB
realm = GW.SPB.RU
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-GW-SPB-RU.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=gw,dc=spb,dc=ru
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
But I don't understand why it wasn't put to smb.conf directly.
The second problem is 'passdb backend'. I didn't find any
documentation about this module. An attempt to replace a file socket
on net connection was failed. And I had to make LDAP replication. It
was easy, but " ipa-replica-prepare" installed whole IPA server
(tomcat, java, ldap), not only ldap-server. I need to continue to
read documentation. However the problem was solved.
Post by Степаненко Алексей
Thank you for your reply.
I've got Samba server for a company, accounts are created by hand.
Clients are different windows or linux desktops.
I want to install FreeIPA and have one area for managing accounts
(SMB, SSH-access for others servers). Now, I prepare clean samba
installation for testing. It would be great to use FreeIPA as
authorization server for samba.
I was looking for information about samba + freeIPA, but I found
only this document. Maybe, I miss obvious things.
Post by Loris Santamaria
The document you are linking to explains how to configure a samba file
server in a freeipa domain, which is one of many ways you can configure
and use a samba server.
What do you want to achieve with samba, and what is your current setup?
Post by Степаненко Алексей
Hello.
I've read the topic about FreeIPA and SAMBA
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_Wit
h_IPA
If I understand clearly, samba's client must be present in
FreeIPA AD.
Unfortunately, it does not work for me. I can't join some work desktops
to AD. Is it possible to make Samba auth trough LDAP IPA ? Samba has
ldap support
ldap admin dn
ldap group suffix
ldap idmap suffix
ldap machine suffix
ldap passwd sync
ldap suffix
ldap user suffix
Does it work with IPA ?
Thanks.
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
С уважеМОеЌ,
СтепаМеМкП Алексей,
РукПвПЎОтель группы ОМфПрЌацОПММых техМПлПгОй,
ООО "ГлПбал Веб Групп"
Сайт: http//gw.spb.ru
Тел.: +7 (812) 409-00-90
Loading...