Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable.
For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we "need" to move because integration has been improved. I try to keep IPA as native as I can. So this is the best way to go for now, even when this thread is such "old" ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: > Hi Matt > > For a "how to" of Samba FreeIPA integration using schema extensions, see > this previous thread > > https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html > > That should point to this techslaves article with the detailed instructions > that we followed: > > http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ > > The main reason we went that way is that we have no AD domain, which seems > to be required by other integration paths. > > Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). > So things may be different on Ubuntu. > > As always, when changing the LDAP schema, an LDAP browser like Apache > Directory Studio is very useful to visualise what is going on and to verify > if your changes are present! (and is sometime easier to manually change > attributes rather than by LDAPMODIFY script....) > > There is another ongoing thread in this mailing list about problems with > the attribute SambaPwdLastSet. > > Chris > > > > From: "Matt ." <yamakasi....@gmail.com> > To: > Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Date: 31.07.2015 16:58 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > Sent by: freeipa-users-boun...@redhat.com > > > > Hi, > > This is nice to have confirmed. > > Is it possible for you to descrive what you do ? It might be handy to > add this to the IPA documentation also with some explanation why... > > Cheers, > > Matt > > 2015-07-31 16:55 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: >> Hi >> >> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >> "shares" using their FreeIPA credentials. The only password mgmt problem >> that we have is, that the users get no notice of password expiry until >> "suddenly" their Samba user (really the FreeIPA user) password is not >> accepted when trying to connect to a share. Once the password is reset > (via >> CLI or FreeIPA WebUi), they can access the shares again. >> >> Chris >> >> >> >> From: Youenn PIOLET <piole...@gmail.com> >> To: "Matt ." <yamakasi....@gmail.com> >> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >> Date: 31.07.2015 16:21 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-boun...@redhat.com >> >> >> >> Hi, >> I asked the very same question a few weeks ago, but no answer yet. >> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >> >> The only method I see is to install samba extensions in FreeIPA's LDAP >> directory, and bind samba with LDAP. There may be a lot of difficulties >> with password management doing this, that's why I'd like to get a better >> solution :) >> >> Anyone? >> >> >> -- >> Youenn Piolet >> piole...@gmail.com >> >> >> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi....@gmail.com>: >> Hi Guys, >> >> I'm really struggeling getting a NON AD Samba server authing against a >> FreeIPA server: >> >> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >> CentOS 7.1 -> FreeIPA 4.1 >> >> Now this seems to be the way: >> >> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> >> But as this, which I also found on the mailinglists: >> >> NOTE: Only Kerberos authentication will work when accessing Samba >> shares using this method. This means that Windows clients not joined >> to Active Directory forest trusted by IPA would not be able to access >> the shares. This is related to SSSD not yet being able to handle >> NTLMSSP authentication. >> >> It might not be that easy to have a Samba Shares only server. >> >> Any idea here how to accomplish ? >> >> Cheers, >> >> Matt >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project