11:04 p.m.
Hello,
As there isn't currently a way to cleanly setup a samba share on a IPA
enrolled system, I am attempting to get around this by hopefully
getting the system retrieving the ID from IPA by mean of LDAP protocol
That way, I can point the samba service directly to the AD. Because
of this requirement, I can't use realmd or the ipa-client to enrol the
system. So I am setting it manually.
This is what I had done to get the system authenticating the user from
IPA using LDAP
- Changed /etc/nsswitch.conf and added SSS
passwd: files sss
shadow: files sss
group: files sss
- Added sssd on the pam files
[root@sambapoc4 ~]# cat /etc/pam.d/password-auth-ac | grep sss
auth sufficient pam_sss.so forward_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so
[root@sambapoc4 ~]# cat /etc/pam.d/system-auth | grep sss
auth sufficient pam_sss.so forward_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so
[root@sambapoc4 ~]#
- This is the SSSD configurations
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=eng,dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://hydrogen.eng.example.com:389,ldap://lithium.eng.example.com:389
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
I don't think though this is correct or enough since I am seeing this
on the logs.
Aug 22 17:42:21 localhost sshd[20724]: Failed password for invalid
user william from 192.168.20.221 port 49598 ssh2
Aug 22 17:42:25 localhost sshd[20724]: Failed password for invalid
user william from 192.168.20.221 port 49598 ssh2
Aug 22 17:42:27 localhost sshd[20724]: Connection closed by
192.168.20.221 [preauth]
What other changes would I be overlooking to get the system
authenticating using LDAP?
Regards,
William