Hey,
Is there any chance that the combination FreeIPA + Samba + Ubuntu is going to work in the near future? So far I haven't been able to.
The main purpose is to give Windows users access to disk space on our (Ubuntu) servers. And with their IPA credentials.
I know that Alexander knows a whole lot about Samba and FreeIPA. But not so much about the combination with Ubuntu, I think (except that Heimdal versus MIT Kerberos plays a role). Timo may know more about the Ubuntu part, but I don't think he has the whole setup with FreeIPA+Samba.
In 2016 (yes, that long ago) Alexander wrote [1]
"Let me comment as FreeIPA and Samba upstream developer.
Ubuntu's Samba build is done with Heimdal and you cannot build ipasam.so against Heimdal, only MIT Kerberos. So you cannot use Ubuntu-provided Samba build this way even if you'd recompile FreeIPA with patches we have upstream to deal with libpdb -> libsamba-pdb library name change.
So until Samba in Debian and Ubuntu is built against Heimdal Kerberos (this is due to Debian/Ubuntu packaging Samba AD, not just Samba) it is unlikely to have FreeIPA trust to AD working in Ubuntu. We are fairly close with completing port of Samba AD to MIT Kerberos upstream, this should happen in Samba 4.5-4.6 timeframe. Once that is done, we can expect FreeIPA with trust to AD working on Debian-based platforms as well."
It's 2019 now. I've tried Ubuntu 18.04 (with Samba 4.7.6), but I still can't get it to work. Possibly because MIT KDC is not enabled in Ubuntu's samba [2]. The following test shows empty.
# smbd -b | grep HAVE_LIBKADM5SRV_MIT
Argh, what are my options?
[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249/comments/2 [2] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote:
Hey,
Is there any chance that the combination FreeIPA + Samba + Ubuntu is going to work in the near future? So far I haven't been able to.
The main purpose is to give Windows users access to disk space on our (Ubuntu) servers. And with their IPA credentials.
I don't think it is going to work (ever) with the current state. Nothing changed since [1] in Ubuntu.
Also, it is confusing -- what do you mean 'to give Windows users access .. with their IPA credentials'? What do you use?
[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249/comments/2 [2] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
Running Samba AD DC with MIT Kerberos KDC will not help you to solve this task.
I'm currently working on enabling to run Samba on IPA client where it would be a normal domain member talking to IPA master's Samba as its domain controller. However, this needs a number of fixes both in FreeIPA and Samba. Also, since you are running IPA master on Ubuntu, it pretty much out of question for you as Ubuntu Samba (normal one, not AD DC variant) is compiled against Heimdal so it cannot be used with FreeIPA to create a needed infrastructure.
On 08-01-19 10:18, Alexander Bokovoy wrote:
On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote:
Hey,
Is there any chance that the combination FreeIPA + Samba + Ubuntu is going to work in the near future? So far I haven't been able to.
The main purpose is to give Windows users access to disk space on our (Ubuntu) servers. And with their IPA credentials.
I don't think it is going to work (ever) with the current state. Nothing changed since [1] in Ubuntu.
Also, it is confusing -- what do you mean 'to give Windows users access .. with their IPA credentials'? What do you use?
Well, nothing special, just connect to a Samba share. This is working with a Samba server on Centos7 in the same IPA network. Note, (see below) our IPA masters now run on Centos7.
[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249/comments/2 [2] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
Running Samba AD DC with MIT Kerberos KDC will not help you to solve this task.
I'm currently working on enabling to run Samba on IPA client where it would be a normal domain member talking to IPA master's Samba as its domain controller. However, this needs a number of fixes both in FreeIPA and Samba. Also, since you are running IPA master on Ubuntu
No I'm not, not anymore. We had a horrible experience of expired certs which we were never able to resolve. We decided to reinstall the IPA servers on Centos7. The remainder of the (Linux) systems are Ubuntu as IPA clients. So far that works well, except the Samba part.
, it pretty much out of question for you as Ubuntu Samba (normal one, not AD DC variant) is compiled against Heimdal so it cannot be used with FreeIPA to create a needed infrastructure.
For testing I have installed Centos7 with Samba (in a LXD container). I can connect shares on this server to Windows clients using my IPA credential (keesb@GHS.NL).
One of our servers is running Ubuntu with Nextcloud and other stuff. I was hoping to install Samba as well and then give Windows users access to certain shares (e.g. home dir). Linux users have better means to access that server (NFS, SSH, etc).
On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote:
On 08-01-19 10:18, Alexander Bokovoy wrote:
On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote:
Hey,
Is there any chance that the combination FreeIPA + Samba + Ubuntu is going to work in the near future? So far I haven't been able to.
The main purpose is to give Windows users access to disk space on our (Ubuntu) servers. And with their IPA credentials.
I don't think it is going to work (ever) with the current state. Nothing changed since [1] in Ubuntu.
Also, it is confusing -- what do you mean 'to give Windows users access .. with their IPA credentials'? What do you use?
Well, nothing special, just connect to a Samba share. This is working with a Samba server on Centos7 in the same IPA network. Note, (see below) our IPA masters now run on Centos7.
Ah, OK.
[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249/comments/2 [2] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
Running Samba AD DC with MIT Kerberos KDC will not help you to solve this task.
I'm currently working on enabling to run Samba on IPA client where it would be a normal domain member talking to IPA master's Samba as its domain controller. However, this needs a number of fixes both in FreeIPA and Samba. Also, since you are running IPA master on Ubuntu
No I'm not, not anymore. We had a horrible experience of expired certs which we were never able to resolve. We decided to reinstall the IPA servers on Centos7. The remainder of the (Linux) systems are Ubuntu as IPA clients. So far that works well, except the Samba part.
There is a lot missing in Samba integration done the right way. Typical suggestions you may find on the internet basically tell to run Samba on IPA client as a standalone server, re-using ipasam module we wrote for IPA masters. This is not preferred as it requires a domain member (IPA client) to have access to NT hashes of IPA users. It is a security risk and thus we don't really recommend it.
Recently I was working on a prototype that allows to use a normal domain member setup for Samba on IPA client. This means Samba defers everything to its domain controller (IPA master) in terms of authenticating users without Kerberos tickets and for resolving SID to ID and ID to SID. However, it needs a particular setup for a cifs/... Kerberos principal on this client and also a known machine account password for the principal which in recent Samba versions one cannot set offline easily. Offline is a key here as Samba sets it when joining a domain and we aren't using Samba-based join process here.
I have things mostly working, for both IPA and trusted AD users, but there are few hack steps that I'd like to turn into a proper supported commands in 'net' utility in Samba and into a specialized command for IPA framework. There are also smaller fixes around access controls in IPA LDAP and changes to ipasam module to get it all working properly.
So the solution as I like to see is finally coming.
, it pretty much out of question for you as Ubuntu Samba (normal one, not AD DC variant) is compiled against Heimdal so it cannot be used with FreeIPA to create a needed infrastructure.
For testing I have installed Centos7 with Samba (in a LXD container). I can connect shares on this server to Windows clients using my IPA credential (keesb@GHS.NL).
One of our servers is running Ubuntu with Nextcloud and other stuff. I was hoping to install Samba as well and then give Windows users access to certain shares (e.g. home dir). Linux users have better means to access that server (NFS, SSH, etc).
Ok. Well, it is not something I can help with without heavy patching.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Kees Bakker