Re: [Freeipa-users] FreeIPA and samba 4
On 10.3.2016 16:06, Rob Verduijn wrote: > Howdy, > > out of curiousity any targetted release for UPN ? Currently 4.4, see https://fedorahosted.org/freeipa/ticket/5354 . This might change, of course. Petr^2 Spacek > > Cheers > Rob > > 2016-03-10 15:15 GMT+01:00 Petr Spacek: >> On 10.3.2016 13:34, Giulio Casella wrote: >>> I've seen that howto, but it's not my case. I cannot establish a trust >>> between >>> IPA and AD, because AD domain involves additional UPNs (mydomain.com and >>> another.mydomain.com) in addition to main domain foobar.local. This scenario >>> is not supported by current version of FreeIPA (maybe in future releases). >>> So: FreeIPA domain and AD domain have to be different. >> >> For the record, UPN support is soonish. >> >> Petr^2 Spacek >> >>> >>> Giulio >>> >>> Il 10/03/2016 13:23, Justin Stephenson ha scritto: Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: > Hi guys, > I've got a FreeIPA domain up and running, with a nfs server, joined to > IPA domain, offering user's home directories. > > I'd like to give users on Windows 7 PC (not joined to the same domain) > the ability to mount those home directories via samba (entering > credentials, not kerberos, being different domains). > > How can I configure samba to use IPA kerberos authentication > authentication to offer access to home directories? > > I know this could be configured more as a samba question, but I hope > someone in this list already faced my scenario. > > Thanks in advance, > Giulio > >>> >> >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
Howdy, out of curiousity any targetted release for UPN ? Cheers Rob 2016-03-10 15:15 GMT+01:00 Petr Spacek: > On 10.3.2016 13:34, Giulio Casella wrote: >> I've seen that howto, but it's not my case. I cannot establish a trust >> between >> IPA and AD, because AD domain involves additional UPNs (mydomain.com and >> another.mydomain.com) in addition to main domain foobar.local. This scenario >> is not supported by current version of FreeIPA (maybe in future releases). >> So: FreeIPA domain and AD domain have to be different. > > For the record, UPN support is soonish. > > Petr^2 Spacek > >> >> Giulio >> >> Il 10/03/2016 13:23, Justin Stephenson ha scritto: >>> Hello, >>> >>> Are you looking for this? This leverages the AD trust to allow samba >>> within IPA to resolve AD users from a trusted AD domain/forest >>> >>> *Howto/Integrating a Samba File Server With IPA* >>> >>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> -Justin >>> >>> On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio >>> >> > > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
On 10.3.2016 13:34, Giulio Casella wrote: > I've seen that howto, but it's not my case. I cannot establish a trust between > IPA and AD, because AD domain involves additional UPNs (mydomain.com and > another.mydomain.com) in addition to main domain foobar.local. This scenario > is not supported by current version of FreeIPA (maybe in future releases). > So: FreeIPA domain and AD domain have to be different. For the record, UPN support is soonish. Petr^2 Spacek > > Giulio > > Il 10/03/2016 13:23, Justin Stephenson ha scritto: >> Hello, >> >> Are you looking for this? This leverages the AD trust to allow samba >> within IPA to resolve AD users from a trusted AD domain/forest >> >> *Howto/Integrating a Samba File Server With IPA* >> >> >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> >> -Justin >> >> On 03/10/2016 06:29 AM, Giulio Casella wrote: >>> Hi guys, >>> I've got a FreeIPA domain up and running, with a nfs server, joined to >>> IPA domain, offering user's home directories. >>> >>> I'd like to give users on Windows 7 PC (not joined to the same domain) >>> the ability to mount those home directories via samba (entering >>> credentials, not kerberos, being different domains). >>> >>> How can I configure samba to use IPA kerberos authentication >>> authentication to offer access to home directories? >>> >>> I know this could be configured more as a samba question, but I hope >>> someone in this list already faced my scenario. >>> >>> Thanks in advance, >>> Giulio >>> >> > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
I've seen that howto, but it's not my case. I cannot establish a trust between IPA and AD, because AD domain involves additional UPNs (mydomain.com and another.mydomain.com) in addition to main domain foobar.local. This scenario is not supported by current version of FreeIPA (maybe in future releases). So: FreeIPA domain and AD domain have to be different. Giulio Il 10/03/2016 13:23, Justin Stephenson ha scritto: Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio -- Giulio Casellagiulio at di.unimi.it System and network manager Computer Science Dept. - University of Milano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA as Samba 4 Backend
On 2.7.2013 20:35, Arthur wrote: 28.06.2013 18:57, Simo Sorce пишет: On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote: Hi everyone, I am new to this mailing list. At the moment I would like to migrate all of my users from Microsoft Active Directory to Open Source, and what I have in mind is getting it into Samba 4. In extending the functionality of it, I decided to intergrate FreeIPA as the backend to Samba 4. I saw some obsolete reference on how to use FreeIPA as Samba 4 backend, but I don't know where are the new reference. Herewith I would seek advise on how to go for my mission. Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to Samba4. We abandoned that path a few years ago as it became clear it was highly unlikely it would work. What we've done is that we change our integratioj strategy and introduced cross-realm trusts that would with Active Directory. In the future this should work also with Samba4, but Samba4 code base currently lacks support for cross-forest trusts. Simo. Does it mean, that I can not make cross-realm trust between IPA-server Samba4-server at this time? Yes, it is Samba 4 limitation. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA as Samba 4 Backend
On Wed, 03 Jul 2013, Arthur wrote: 28.06.2013 18:57, Simo Sorce пишет: On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote: Hi everyone, I am new to this mailing list. At the moment I would like to migrate all of my users from Microsoft Active Directory to Open Source, and what I have in mind is getting it into Samba 4. In extending the functionality of it, I decided to intergrate FreeIPA as the backend to Samba 4. I saw some obsolete reference on how to use FreeIPA as Samba 4 backend, but I don't know where are the new reference. Herewith I would seek advise on how to go for my mission. Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to Samba4. We abandoned that path a few years ago as it became clear it was highly unlikely it would work. What we've done is that we change our integratioj strategy and introduced cross-realm trusts that would with Active Directory. In the future this should work also with Samba4, but Samba4 code base currently lacks support for cross-forest trusts. Simo. Does it mean, that I can not make cross-realm trust between IPA-server Samba4-server at this time? No, you cannot achieve cross-realm trust with Samba AD DC right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
On Mon, 2012-12-17 at 22:48 -0500, William Muriithi wrote: I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. Yes, its amazing samba4 has finally gone GA. Plan to set up an instance as a backup AD to existing AD some day when I get some time. Not well documented though, wish there was well writen book on it. Anyway backup AD would be the best way to set some experience I am assuming A related question, would there be any need to have a replica when using trust if the AD is just one instance? What I am asking in another way is, if the AD fail, wouldn't the FreeIPA fail to authenticate users till AD issues are fixed? It depends on the case. In general the answer would be yes, however. - if you already have a cross-realm TGT you should still be able to access all IPA services as the AD KDC is not required until a renew is necessary. - if you do password based logins then sssd may cache offline credentials and still let you in (but you will not have a TGT, so you may not use kerberized services). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
On Mon, 2012-12-17 at 14:58 -0500, Steven Santos wrote: I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. Yes, its amazing samba4 has finally gone GA. Plan to set up an instance as a backup AD to existing AD some day when I get some time. Not well documented though, wish there was well writen book on it. Anyway backup AD would be the best way to set some experience I am assuming A related question, would there be any need to have a replica when using trust if the AD is just one instance? What I am asking in another way is, if the AD fail, wouldn't the FreeIPA fail to authenticate users till AD issues are fixed? Regards, William -- Simo Sorce * Red Hat, Inc * New York -- Message: 2 Date: Mon, 17 Dec 2012 16:03:03 -0500 From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] anyone know how to do sssd filters? Message-ID: 50cf8887.9020...@redhat.com Content-Type: text/plain; charset=ISO-8859-1 On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Message: 3 Date: Mon, 17 Dec 2012 16:29:00 -0500 From: Dmitri Pal d...@redhat.com To: Simo Sorce s...@redhat.com Cc: freeipa-users freeipa-users@redhat.com, Albert Adams bite...@gmail.com Subject: Re: [Freeipa-users] Allow IPA users to create SSH tunnel with no shell Message-ID: 50cf8e9c.4020...@redhat.com Content-Type: text/plain; charset=UTF-8 On 12/17/2012 09:36 AM, Simo Sorce wrote: On Mon, 2012-12-17 at 09:07 -0500, Albert Adams wrote: Thank you for the responses. I was initially attempting to set this value via the web UI and if I entered anything other than the hash value of the user's public key it would get rejected. After thinking about your response I realize that I really need to determine a method of doing this via a HBAC rule. If I accomplish this with authorized_keys then the user is restricted across the board and would not be able to gain a shell on any system whereas HBAC would allow me to restrict thier access as needed. We currently require users to tunnel over SSH to gain access to certain sensitive web apps (like Nessus) but those same users have shell access on a few boxes. Thoughts?? One thing you could do is to use the override_shell parameter in sssd. However this one would override the shell for all users so just putting /sbin/nologin there would not work if you need some users to be able to log in (if you care only for root logins it would be enough). However you can still manage to use it to point to a script that would test something like whether the user belongs to a group or not, and if so run either /bin/bash or /bin/nologin This seem like a nice feature request for FreeIPA though, maybe we can extend HBAC to allow a special option to define a shell, maybe creating a special 'shell' service that sssd can properly interpret as a hint to set nologin vs the actual shell. Dmitri, should we open a RFE on this ? Simo. OK , RFE would make sense. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Message: 4 Date: Tue, 18 Dec 2012 00:15:42 + From: Johan Petersson johan.peters...@sscspace.com To: freeipa-users@redhat.com freeipa-users@redhat.com Subject: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. Message-ID: 558c15177f5e714f83334217c9a197df5db40...@ssc-mbx2.ssc.internal Content-Type: text/plain; charset=iso-8859-1 Hi, When trying to generate a host and nfs principal + keys from the Oracle ZFS 7120/7320 Appliance i get the following error message (note that the information pasted are from a simulator but i get exactly the same error from our real Appliances). I can't