Re: [Freeipa-users] FreeIPA and samba 4

2016-03-10 Thread Petr Spacek 
On 10.3.2016 16:06, Rob Verduijn wrote:
> Howdy,
> 
> out of curiousity  any targetted release for UPN ?

Currently 4.4, see https://fedorahosted.org/freeipa/ticket/5354 .

This might change, of course.

Petr^2 Spacek

> 
> Cheers
> Rob
> 
> 2016-03-10 15:15 GMT+01:00 Petr Spacek :
>> On 10.3.2016 13:34, Giulio Casella wrote:
>>> I've seen that howto, but it's not my case. I cannot establish a trust 
>>> between
>>> IPA and AD, because AD domain involves additional UPNs (mydomain.com and
>>> another.mydomain.com) in addition to main domain foobar.local. This scenario
>>> is not supported by current version of FreeIPA (maybe in future releases).
>>> So: FreeIPA domain and AD domain have to be different.
>>
>> For the record, UPN support is soonish.
>>
>> Petr^2 Spacek
>>
>>>
>>> Giulio
>>>
>>> Il 10/03/2016 13:23, Justin Stephenson ha scritto:
 Hello,

 Are you looking for this? This leverages the AD trust to allow samba
 within IPA to resolve AD users from a trusted AD domain/forest

 *Howto/Integrating a Samba File Server With IPA*


 http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


 -Justin

 On 03/10/2016 06:29 AM, Giulio Casella wrote:
> Hi guys,
> I've got a FreeIPA domain up and running, with a nfs server, joined to
> IPA domain, offering user's home directories.
>
> I'd like to give users on Windows 7 PC (not joined to the same domain)
> the ability to mount those home directories via samba (entering
> credentials, not kerberos, being different domains).
>
> How can I configure samba to use IPA kerberos authentication
> authentication to offer access to home directories?
>
> I know this could be configured more as a samba question, but I hope
> someone in this list already faced my scenario.
>
> Thanks in advance,
> Giulio
>

>>>
>>
>>
>> --
>> Petr^2 Spacek
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and samba 4

2016-03-10 Thread Rob Verduijn 
Howdy,

out of curiousity  any targetted release for UPN ?

Cheers
Rob

2016-03-10 15:15 GMT+01:00 Petr Spacek :
> On 10.3.2016 13:34, Giulio Casella wrote:
>> I've seen that howto, but it's not my case. I cannot establish a trust 
>> between
>> IPA and AD, because AD domain involves additional UPNs (mydomain.com and
>> another.mydomain.com) in addition to main domain foobar.local. This scenario
>> is not supported by current version of FreeIPA (maybe in future releases).
>> So: FreeIPA domain and AD domain have to be different.
>
> For the record, UPN support is soonish.
>
> Petr^2 Spacek
>
>>
>> Giulio
>>
>> Il 10/03/2016 13:23, Justin Stephenson ha scritto:
>>> Hello,
>>>
>>> Are you looking for this? This leverages the AD trust to allow samba
>>> within IPA to resolve AD users from a trusted AD domain/forest
>>>
>>> *Howto/Integrating a Samba File Server With IPA*
>>>
>>>
>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>
>>>
>>> -Justin
>>>
>>> On 03/10/2016 06:29 AM, Giulio Casella wrote:
 Hi guys,
 I've got a FreeIPA domain up and running, with a nfs server, joined to
 IPA domain, offering user's home directories.

 I'd like to give users on Windows 7 PC (not joined to the same domain)
 the ability to mount those home directories via samba (entering
 credentials, not kerberos, being different domains).

 How can I configure samba to use IPA kerberos authentication
 authentication to offer access to home directories?

 I know this could be configured more as a samba question, but I hope
 someone in this list already faced my scenario.

 Thanks in advance,
 Giulio

>>>
>>
>
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and samba 4

2016-03-10 Thread Petr Spacek 
On 10.3.2016 13:34, Giulio Casella wrote:
> I've seen that howto, but it's not my case. I cannot establish a trust between
> IPA and AD, because AD domain involves additional UPNs (mydomain.com and
> another.mydomain.com) in addition to main domain foobar.local. This scenario
> is not supported by current version of FreeIPA (maybe in future releases).
> So: FreeIPA domain and AD domain have to be different.

For the record, UPN support is soonish.

Petr^2 Spacek

> 
> Giulio
> 
> Il 10/03/2016 13:23, Justin Stephenson ha scritto:
>> Hello,
>>
>> Are you looking for this? This leverages the AD trust to allow samba
>> within IPA to resolve AD users from a trusted AD domain/forest
>>
>> *Howto/Integrating a Samba File Server With IPA*
>>
>>
>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>
>>
>> -Justin
>>
>> On 03/10/2016 06:29 AM, Giulio Casella wrote:
>>> Hi guys,
>>> I've got a FreeIPA domain up and running, with a nfs server, joined to
>>> IPA domain, offering user's home directories.
>>>
>>> I'd like to give users on Windows 7 PC (not joined to the same domain)
>>> the ability to mount those home directories via samba (entering
>>> credentials, not kerberos, being different domains).
>>>
>>> How can I configure samba to use IPA kerberos authentication
>>> authentication to offer access to home directories?
>>>
>>> I know this could be configured more as a samba question, but I hope
>>> someone in this list already faced my scenario.
>>>
>>> Thanks in advance,
>>> Giulio
>>>
>>
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and samba 4

2016-03-10 Thread Giulio Casella 
I've seen that howto, but it's not my case. I cannot establish a trust 
between IPA and AD, because AD domain involves additional UPNs 
(mydomain.com and another.mydomain.com) in addition to main domain 
foobar.local. This scenario is not supported by current version of 
FreeIPA (maybe in future releases).

So: FreeIPA domain and AD domain have to be different.

Giulio

Il 10/03/2016 13:23, Justin Stephenson ha scritto:

Hello,

Are you looking for this? This leverages the AD trust to allow samba
within IPA to resolve AD users from a trusted AD domain/forest

*Howto/Integrating a Samba File Server With IPA*


http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


-Justin

On 03/10/2016 06:29 AM, Giulio Casella wrote:

Hi guys,
I've got a FreeIPA domain up and running, with a nfs server, joined to
IPA domain, offering user's home directories.

I'd like to give users on Windows 7 PC (not joined to the same domain)
the ability to mount those home directories via samba (entering
credentials, not kerberos, being different domains).

How can I configure samba to use IPA kerberos authentication
authentication to offer access to home directories?

I know this could be configured more as a samba question, but I hope
someone in this list already faced my scenario.

Thanks in advance,
Giulio





--
Giulio Casellagiulio at di.unimi.it
System and network manager
Computer Science Dept. - University of Milano

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and samba 4

2016-03-10 Thread Justin Stephenson 

Hello,

Are you looking for this? This leverages the AD trust to allow samba 
within IPA to resolve AD users from a trusted AD domain/forest


   *Howto/Integrating a Samba File Server With IPA*

   
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA


-Justin

On 03/10/2016 06:29 AM, Giulio Casella wrote:

Hi guys,
I've got a FreeIPA domain up and running, with a nfs server, joined to 
IPA domain, offering user's home directories.


I'd like to give users on Windows 7 PC (not joined to the same domain) 
the ability to mount those home directories via samba (entering 
credentials, not kerberos, being different domains).


How can I configure samba to use IPA kerberos authentication 
authentication to offer access to home directories?


I know this could be configured more as a samba question, but I hope 
someone in this list already faced my scenario.


Thanks in advance,
Giulio



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA as Samba 4 Backend

2013-07-03 Thread Petr Spacek 

On 2.7.2013 20:35, Arthur wrote:

28.06.2013 18:57, Simo Sorce пишет:

On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote:

Hi everyone,


I am new to this mailing list.


At the moment I would like to migrate all of my users from Microsoft
Active Directory to Open Source, and what I have in mind is getting it
into Samba 4.


In extending the functionality of it, I decided to intergrate FreeIPA
as the backend to Samba 4.


I saw some obsolete reference on how to use FreeIPA as Samba 4
backend, but I don't know where are the new reference.


Herewith I would seek advise on how to go for my mission.

Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to
Samba4.
We abandoned that path a few years ago as it became clear it was highly
unlikely it would work.

What we've done is that we change our integratioj strategy and
introduced cross-realm trusts that would with Active Directory. In the
future this should work also with Samba4, but Samba4 code base currently
lacks support for cross-forest trusts.

Simo.


Does it mean, that I can not make cross-realm trust between IPA-server 
Samba4-server at this time?


Yes, it is Samba 4 limitation.

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA as Samba 4 Backend

2013-07-03 Thread Alexander Bokovoy 

On Wed, 03 Jul 2013, Arthur wrote:

28.06.2013 18:57, Simo Sorce пишет:

On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote:

Hi everyone,


I am new to this mailing list.


At the moment I would like to migrate all of my users from Microsoft
Active Directory to Open Source, and what I have in mind is getting it
into Samba 4.


In extending the functionality of it, I decided to intergrate FreeIPA
as the backend to Samba 4.


I saw some obsolete reference on how to use FreeIPA as Samba 4
backend, but I don't know where are the new reference.


Herewith I would seek advise on how to go for my mission.

Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to
Samba4.
We abandoned that path a few years ago as it became clear it was highly
unlikely it would work.

What we've done is that we change our integratioj strategy and
introduced cross-realm trusts that would with Active Directory. In the
future this should work also with Samba4, but Samba4 code base currently
lacks support for cross-forest trusts.

Simo.

Does it mean, that I can not make cross-realm trust between 
IPA-server  Samba4-server at this time?

No, you cannot achieve cross-realm trust with Samba AD DC right now.



--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and Samba 4

2012-12-18 Thread Simo Sorce 
On Mon, 2012-12-17 at 22:48 -0500, William Muriithi wrote:
   I know this may be a loaded question, but I am asking it anyways.
  
  
   Can anyone tell me what the current status and future plan for
 IPA /
   Samba 4 is?
 
  We plan to support setting up trusts with Samba4 just like we do
 with AD
  when Samba4 will start supporting Cross-forest trusts. It currently
  doesn't.
 
  Simo.
 
 Yes, its amazing samba4 has finally gone GA. Plan to set up an
 instance as a backup AD to existing AD some day when I get some time.
 Not well documented though,  wish there was well writen book on it.
 Anyway backup AD would be the best way to set some experience I am
 assuming 
 
 A related question, would there be any need to have a replica when
 using trust if the AD is just one instance?  What I am asking in
 another way is, if the AD fail, wouldn't the FreeIPA fail to
 authenticate users till AD issues are fixed?

It depends on the case.

In general the answer would be yes, however.
- if you already have a cross-realm TGT you should still be able to
access all IPA services as the AD KDC is not required until a renew is
necessary.
- if you do password based logins then sssd may cache offline
credentials and still let you in (but you will not have a TGT, so you
may not use kerberized services).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and Samba 4

2012-12-17 Thread Simo Sorce 
On Mon, 2012-12-17 at 14:58 -0500, Steven Santos wrote:
 I know this may be a loaded question, but I am asking it anyways.
 
 
 Can anyone tell me what the current status and future plan for IPA /
 Samba 4 is?

We plan to support setting up trusts with Samba4 just like we do with AD
when Samba4 will start supporting Cross-forest trusts. It currently
doesn't.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and Samba 4

2012-12-17 Thread William Muriithi 
  I know this may be a loaded question, but I am asking it anyways.
 
 
  Can anyone tell me what the current status and future plan for IPA /
  Samba 4 is?

 We plan to support setting up trusts with Samba4 just like we do with AD
 when Samba4 will start supporting Cross-forest trusts. It currently
 doesn't.

 Simo.

Yes, its amazing samba4 has finally gone GA. Plan to set up an instance as
a backup AD to existing AD some day when I get some time. Not well
documented though,  wish there was well writen book on it. Anyway backup AD
would be the best way to set some experience I am assuming

A related question, would there be any need to have a replica when using
trust if the AD is just one instance?  What I am asking in another way is,
if the AD fail, wouldn't the FreeIPA fail to authenticate users till AD
issues are fixed?

Regards,

William
 --
 Simo Sorce * Red Hat, Inc * New York



 --

 Message: 2
 Date: Mon, 17 Dec 2012 16:03:03 -0500
 From: Dmitri Pal d...@redhat.com
 To: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] anyone know how to do sssd filters?
 Message-ID: 50cf8887.9020...@redhat.com
 Content-Type: text/plain; charset=ISO-8859-1

 On 12/17/2012 03:11 PM, KodaK wrote:
  I'm attempting to install Satellite in my IPA domain.  There is a
  ridiculous requirement that the group dba must not already exist
  prior to installing.  Red Hat support wanted me to *remove* the DBA
  group and then install.
 
  Anyway, I'm trying to play around with filter_groups in sssd, and I
  can't seem to get it to take.  The man page isn't exactly clear, but
  here's what I've tried:
 
  filter_groups = dba
  filter_groups= dba@fqdn
 
  In the [domain], [sssd] and [nss] sections of the config file.
 
  What's the right syntax?  Do I need it in every section?
 
 Is it a local group or a central group?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.


 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/





 --

 Message: 3
 Date: Mon, 17 Dec 2012 16:29:00 -0500
 From: Dmitri Pal d...@redhat.com
 To: Simo Sorce s...@redhat.com
 Cc: freeipa-users freeipa-users@redhat.com, Albert Adams
 bite...@gmail.com
 Subject: Re: [Freeipa-users] Allow IPA users to create SSH tunnel with
 no shell
 Message-ID: 50cf8e9c.4020...@redhat.com
 Content-Type: text/plain; charset=UTF-8

 On 12/17/2012 09:36 AM, Simo Sorce wrote:
  On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote:
  Thank you for the responses.  I was initially attempting to set this
  value via the web UI and if I entered anything other than the hash
  value of the user's public key it would get rejected.  After thinking
  about your response I realize that I really need to determine a method
  of doing this via a HBAC rule.  If I accomplish this with
  authorized_keys then the user is restricted across the board and would
  not be able to gain a shell on any system whereas HBAC would allow me
  to restrict thier access as needed.  We currently require users to
  tunnel over SSH to gain access to certain sensitive web apps (like
  Nessus) but those same users have shell access on a few boxes.
  Thoughts??
  One thing you could do is to use the override_shell parameter in sssd.
  However this one would override the shell for all users so just
  putting /sbin/nologin there would not work if you need some users to be
  able to log in (if you care only for root logins it would be enough).
 
  However you can still manage to use it to point to a script that would
  test something like whether the user belongs to a group or not, and if
  so run either /bin/bash or /bin/nologin
 
  This seem like a nice feature request for FreeIPA though, maybe we can
  extend HBAC to allow a special option to define a shell, maybe creating
  a special 'shell' service that sssd can properly interpret as a hint to
  set nologin vs the actual shell.
 
  Dmitri, should we open a RFE on this ?
 
 
  Simo.
 
 OK , RFE would make sense.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.


 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/





 --

 Message: 4
 Date: Tue, 18 Dec 2012 00:15:42 +
 From: Johan Petersson johan.peters...@sscspace.com
 To: freeipa-users@redhat.com freeipa-users@redhat.com
 Subject: [Freeipa-users] Problem generating Oracle ZFS Storage
 Appliance host and nfs principals and keys to IPA/Free IPA.
 Message-ID:
 558c15177f5e714f83334217c9a197df5db40...@ssc-mbx2.ssc.internal
 Content-Type: text/plain; charset=iso-8859-1

 Hi,

 When trying to generate a host and nfs principal + keys  from the Oracle
ZFS 7120/7320 Appliance i get the following error message (note that the
information pasted are from a simulator but i get exactly the same error
from our real Appliances).
 I can't