Hi Chris, A puppet run added another passdb backend, that was causing my issue.
What I still experience is: [2015/08/04 15:29:45.477783, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'username' in passdb. [2015/08/04 15:29:45.478026, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] -> [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher Lamb <christopher.l...@ch.ibm.com>: > Hi Matt > > From our smb.conf file: > > [global] > security = user > passdb backend = ldapsam:ldap://xxx-ldap2.my.silly.example.com > ldap suffix = dc=my,dc=silly,dc=example,dc=com > ldap admin dn = cn=Directory Manager > > So yes, we use Directory Manager, it works for us. I have not tried with a > less powerful user, but it is conceivable that a lesser user may not see > all the required attributes, resulting in "no such user" errors. > > Chris > > > > > From: "Matt ." <yamakasi....@gmail.com> > To: Christopher Lamb/Switzerland/IBM@IBMCH > Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Date: 04.08.2015 13:32 > Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA > > > > Hi Chris, > > Thanks for the heads up, indeed local is 4 I see now when I add a > group from the GUI, great thanks! > > But do you use Directory Manager as ldap admin user or some other > admin account ? > > I'm not sure id DM is needed and it should get that deep into IPA. > Also when starting samba it cannot find "such user" as that sounds > quite known as it has no UID. > > From your config I see you use DM, this should work ? > > Thanks! > > > Matt > > 2015-08-04 13:15 GMT+02:00 Matt . <yamakasi....@gmail.com>: >> Hi Chris, >> >> Thanks for the heads up, indeed local is 4 I see now when I add a >> group from the GUI, great thanks! >> >> But do you use Directory Manager as ldap admin user or some other >> admin account ? >> >> I'm not sure id DM is needed and it should get that deep into IPA. >> Also when starting samba it cannot find "such user" as that sounds >> quite known as it has no UID. >> >> From your config I see you use DM, this should work ? >> >> Thanks! >> >> Matt >> >> 2015-08-03 17:17 GMT+02:00 Christopher Lamb > <christopher.l...@ch.ibm.com>: >>> Hi Matt >>> >>> It sounds like you now have prepared FreeIPA for Samba >>> >>> I assume you have already configured Samba to authenticate via FreeIPA >>> (changes to the [global] section of your smb.conf file, secrets.tdb etc. >>> >>> Next you need to add your samba groups to FreeIPA. (i.e FreeIPA groups, >>> with SambaGroupType = 4) >>> >>> For example: >>> >>> In FreeIPA under cn=accounts, cn=users we have a group called > "smb-junit". >>> >>> This group has (among others) the attribute SambaGroupType = 4 >>> >>> We can then use the name of the group in the smb.conf file >>> >>> [junit] >>> comment = JUnit Share >>> path = /samba/junit >>> browseable = no >>> valid users = @smb-junit >>> write list = @smb-junit >>> force group = smb-junit >>> create mask = 0770 >>> >>> >>> Ciao >>> >>> Chris >>> >>> >>> >>> From: "Matt ." <yamakasi....@gmail.com> >>> To: Christopher Lamb/Switzerland/IBM@IBMCH >>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>, Petr >>> Vobornik <pvobo...@redhat.com> >>> Date: 03.08.2015 16:03 >>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA >>> >>> >>> >>> Hi, >>> >>> OK, I have a Samba Group Type now in my groups details list and also >>> in the groups settings tab. >>> >>> I'm not 100% how this is managed. I have Grouptype 4, in the groups >>> overview it's still empty. But how to manage this between samba and >>> ipa ? What should be the reference between the group(names) ? >>> >>> Thanks again! >>> >>> Matt >>> >>> 2015-08-03 13:20 GMT+02:00 Christopher Lamb > <christopher.l...@ch.ibm.com>: >>>> HI Matt >>>> >>>> It looks like I skipped that step ... (And as we already had samba > groups >>>> in place, did not need to make new ones via the WebUI). >>>> >>>> However a quick google trawled up this old thread that has a possible >>>> answer from Peter. (I have not tested it yet myself). >>>> >>>> https://www.redhat.com/archives/freeipa-users/2014-May/msg00137.html >>>> >>>> Chris >>>> >>>> >>>> >>>> From: "Matt ." <yamakasi....@gmail.com> >>>> To: >>>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>>> Date: 03.08.2015 12:45 >>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against > IPA >>>> Sent by: freeipa-users-boun...@redhat.com >>>> >>>> >>>> >>>> In my previous reply, I ment "no group.js at all" . >>>> >>>> >>>> 2015-08-03 12:17 GMT+02:00 Matt . <yamakasi....@gmail.com>: >>>>> Hi Chris, >>>>> >>>>> Thanks for that verification! >>>>> >>>>> It seems that: >>>>> >>>>> /usr/share/ipa/ui/group.js >>>>> >>>>> Is not there on IPA.4.1, also there is no .js at all on the whole >>> system. >>>>> >>>>> Any idea there ? >>>>> >>>>> Thanks again! >>>>> >>>>> Matt >>>>> >>>>> 2015-08-03 9:53 GMT+02:00 Christopher Lamb >>> <christopher.l...@ch.ibm.com>: >>>>>> Hi Matt >>>>>> >>>>>> Thankfully I saved the output from those ldapmodify commands (against >>>>>> FreeIPA 4.1) and was able to find it again! >>>>>> >>>>>> In our case sambagrouptype also seems to have already been present, > so >>>> that >>>>>> should not hurt. >>>>>> >>>>>> [root@xxx-ldap2 samba]# ldapmodify -Y GSSAPI <<EOF >>>>>>> dn: cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com >>>>>>> changetype: add >>>>>>> add: ipaCustomFields >>>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>>> EOF >>>>>> SASL/GSSAPI authentication started >>>>>> SASL username: l...@my.silly.example.com >>>>>> SASL SSF: 56 >>>>>> SASL data security layer installed. >>>>>> adding new entry > "cn=ipaconfig,cn=etc,dc=my,dc=silly,dc=example,dc=com" >>>>>> ldap_add: Already exists (68) >>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> From: "Matt ." <yamakasi....@gmail.com> >>>>>> To: >>>>>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>>>>> Date: 02.08.2015 13:33 >>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth against >>> IPA >>>>>> Sent by: freeipa-users-boun...@redhat.com >>>>>> >>>>>> >>>>>> >>>>>> Chris, >>>>>> >>>>>> Are you doing this on 3.x or also 4.x ? >>>>>> >>>>>> As the following already exists: >>>>>> >>>>>> ldapmodify -Y GSSAPI <<EOF >>>>>> dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld >>>>>> changetype: add >>>>>> add: ipaCustomFields >>>>>> ipaCustomFields: "Samba Group Type,sambagrouptype,true" >>>>>> EOF >>>>>> >>>>>> >>>>>> And I'm unsure about the pyton files are they are sligtly different > on >>>> 4.1 >>>>>> >>>>>> >>>>>> Thanks! >>>>>> >>>>>> >>>>>> 2015-08-01 19:51 GMT+02:00 Matt . <yamakasi....@gmail.com>: >>>>>>> Hi, >>>>>>> >>>>>>> Yes I found that earlier, that looks good and even better when you >>>>>>> confirm this as really usable. >>>>>>> >>>>>>> For Samba 4 the IPA devs are very busy but I wonder indeed what >>>>>>> happends when we "need" to move because integration has been > improved. >>>>>>> >>>>>>> I try to keep IPA as native as I can. >>>>>>> >>>>>>> So this is the best way to go for now, even when this thread is such >>>>>> "old" ? >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> >>>>>>> 2015-08-01 9:48 GMT+02:00 Christopher Lamb >>>> <christopher.l...@ch.ibm.com>: >>>>>>>> Hi Matt >>>>>>>> >>>>>>>> For a "how to" of Samba FreeIPA integration using schema > extensions, >>>> see >>>>>>>> this previous thread >>>>>>>> >>>>>>>> > https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html >>>>>>>> >>>>>>>> That should point to this techslaves article with the detailed >>>>>> instructions >>>>>>>> that we followed: >>>>>>>> >>>>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ >>>>>>>> >>>>>>>> The main reason we went that way is that we have no AD domain, > which >>>>>> seems >>>>>>>> to be required by other integration paths. >>>>>>>> >>>>>>>> Note we are running FreeIPA and Samba on OEL servers (first 6.x, > now >>>>>> 7.x). >>>>>>>> So things may be different on Ubuntu. >>>>>>>> >>>>>>>> As always, when changing the LDAP schema, an LDAP browser like > Apache >>>>>>>> Directory Studio is very useful to visualise what is going on and > to >>>>>> verify >>>>>>>> if your changes are present! (and is sometime easier to manually >>>> change >>>>>>>> attributes rather than by LDAPMODIFY script....) >>>>>>>> >>>>>>>> There is another ongoing thread in this mailing list about problems >>>> with >>>>>>>> the attribute SambaPwdLastSet. >>>>>>>> >>>>>>>> Chris >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> From: "Matt ." <yamakasi....@gmail.com> >>>>>>>> To: >>>>>>>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>>>>>>> Date: 31.07.2015 16:58 >>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>> IPA >>>>>>>> Sent by: freeipa-users-boun...@redhat.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> This is nice to have confirmed. >>>>>>>> >>>>>>>> Is it possible for you to descrive what you do ? It might be handy > to >>>>>>>> add this to the IPA documentation also with some explanation why... >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> 2015-07-31 16:55 GMT+02:00 Christopher Lamb >>>>>> <christopher.l...@ch.ibm.com>: >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> We use the Samba extensions for FreeIPA. Windows 7 users connect > to >>>> the >>>>>>>>> "shares" using their FreeIPA credentials. The only password mgmt >>>>>> problem >>>>>>>>> that we have is, that the users get no notice of password expiry >>>> until >>>>>>>>> "suddenly" their Samba user (really the FreeIPA user) password is >>> not >>>>>>>>> accepted when trying to connect to a share. Once the password is >>>> reset >>>>>>>> (via >>>>>>>>> CLI or FreeIPA WebUi), they can access the shares again. >>>>>>>>> >>>>>>>>> Chris >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> From: Youenn PIOLET <piole...@gmail.com> >>>>>>>>> To: "Matt ." <yamakasi....@gmail.com> >>>>>>>>> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> >>>>>>>>> Date: 31.07.2015 16:21 >>>>>>>>> Subject: Re: [Freeipa-users] Ubuntu Samba Server Auth > against >>>>>> IPA >>>>>>>>> Sent by: freeipa-users-boun...@redhat.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> I asked the very same question a few weeks ago, but no answer yet. >>>>>>>>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/18174 >>>>>>>>> >>>>>>>>> The only method I see is to install samba extensions in FreeIPA's >>>> LDAP >>>>>>>>> directory, and bind samba with LDAP. There may be a lot of >>>> difficulties >>>>>>>>> with password management doing this, that's why I'd like to get a >>>>>> better >>>>>>>>> solution :) >>>>>>>>> >>>>>>>>> Anyone? >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Youenn Piolet >>>>>>>>> piole...@gmail.com >>>>>>>>> >>>>>>>>> >>>>>>>>> 2015-07-31 16:03 GMT+02:00 Matt . <yamakasi....@gmail.com>: >>>>>>>>> Hi Guys, >>>>>>>>> >>>>>>>>> I'm really struggeling getting a NON AD Samba server authing >>>> against >>>>>> a >>>>>>>>> FreeIPA server: >>>>>>>>> >>>>>>>>> Ubuntu 14.04 -> Samba (no AD) / SSD 1.12.5 >>>>>>>>> CentOS 7.1 -> FreeIPA 4.1 >>>>>>>>> >>>>>>>>> Now this seems to be the way: >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>> >>> > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>>>>>>>> >>>>>>>>> >>>>>>>>> But as this, which I also found on the mailinglists: >>>>>>>>> >>>>>>>>> NOTE: Only Kerberos authentication will work when accessing > Samba >>>>>>>>> shares using this method. This means that Windows clients not >>>> joined >>>>>>>>> to Active Directory forest trusted by IPA would not be able to >>>> access >>>>>>>>> the shares. This is related to SSSD not yet being able to handle >>>>>>>>> NTLMSSP authentication. >>>>>>>>> >>>>>>>>> It might not be that easy to have a Samba Shares only server. >>>>>>>>> >>>>>>>>> Any idea here how to accomplish ? >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>> >>> >>> >>> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project