Hi Matt When we originally integrated FreeIPA and Samba we were on 3.x for both products.
We are now on 4.x for both. The FreeIPA server was a new setup, with users and hosts migrated across (not replicated). We then ran the scripts in the techslave article. I will look back and see If I can find any notes from the time we did the integration. Chris From: "Matt ." <yamakasi....@gmail.com> To: Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Date: 02.08.2015 13:33 Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Sent by: freeipa-users-boun...@redhat.com Chris, Are you doing this on 3.x or also 4.x ? As the following already exists: ldapmodify -Y GSSAPI <<EOF dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld changetype: add add: ipaCustomFields ipaCustomFields: "Samba Group Type,sambagrouptype,true" EOF And I'm unsure about the pyton files are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi....@gmail.com>: > Hi, > > Yes I found that earlier, that looks good and even better when you > confirm this as really usable. > > For Samba 4 the IPA devs are very busy but I wonder indeed what > happends when we "need" to move because integration has been improved. > > I try to keep IPA as native as I can. > > So this is the best way to go for now, even when this thread is such "old" ? > > Thanks! > > Matt > > > 2015-08-01 9:48 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: >> Hi Matt >> >> For a "how to" of Samba FreeIPA integration using schema extensions, see >> this previous thread >> >> https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >> >> That should point to this techslaves article with the detailed instructions >> that we followed: >> >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >> >> The main reason we went that way is that we have no AD domain, which seems >> to be required by other integration paths. >> >> Note we are running FreeIPA and Samba on OEL servers (first 6.x, now 7.x). >> So things may be different on Ubuntu. >> >> As always, when changing the LDAP schema, an LDAP browser like Apache >> Directory Studio is very useful to visualise what is going on and to verify >> if your changes are present! (and is sometime easier to manually change >> attributes rather than by LDAPMODIFY script....) >> >> There is another ongoing thread in this mailing list about problems with >> the attribute SambaPwdLastSet. >> >> Chris >> >> >> >> From: "Matt ." <yamakasi....@gmail.com> >> To: >> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >> Date: 31.07.2015 16:58 >> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >> Sent by: freeipa-users-boun...@redhat.com >> >> >> >> Hi, >> >> This is nice to have confirmed. >> >> Is it possible for you to descrive what you do ? It might be handy to >> add this to the IPA documentation also with some explanation why... >> >> Cheers, >> >> Matt >> >> 2015-07-31 16:55 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: >>> Hi >>> >>> We use the Samba extensions for FreeIPA. Windows 7 users connect to the >>> "shares" using their FreeIPA credentials. The only password mgmt problem >>> that we have is, that the users get no notice of password expiry until >>> "suddenly" their Samba user (really the FreeIPA user) password is not >>> accepted when trying to connect to a share. Once the password is reset >> (via >>> CLI or FreeIPA WebUi), they can access the shares again. >>> >>> Chris >>> >>> >>> >>> From: Youenn PIOLET <piole...@gmail.com> >>> To: "Matt ." <yamakasi....@gmail.com> >>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>> Date: 31.07.2015 16:21 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> Sent by: freeipa-users-boun...@redhat.com >>> >>> >>> >>> Hi, >>> I asked the very same question a few weeks ago, but no answer yet. >>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>> >>> The only method I see is to install samba extensions in FreeIPA's LDAP >>> directory, and bind samba with LDAP. There may be a lot of difficulties >>> with password management doing this, that's why I'd like to get a better >>> solution :) >>> >>> Anyone? >>> >>> >>> -- >>> Youenn Piolet >>> piole...@gmail.com >>> >>> >>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi....@gmail.com>: >>> Hi Guys, >>> >>> I'm really struggeling getting a NON AD Samba server authing against a >>> FreeIPA server: >>> >>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>> CentOS 7.1 -> FreeIPA 4.1 >>> >>> Now this seems to be the way: >>> >>> >> https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> But as this, which I also found on the mailinglists: >>> >>> NOTE: Only Kerberos authentication will work when accessing Samba >>> shares using this method. This means that Windows clients not joined >>> to Active Directory forest trusted by IPA would not be able to access >>> the shares. This is related to SSSD not yet being able to handle >>> NTLMSSP authentication. >>> >>> It might not be that easy to have a Samba Shares only server. >>> >>> Any idea here how to accomplish ? >>> >>> Cheers, >>> >>> Matt >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project