OK, looking forward to seeing your work done.

Regards.
F

On Wed, Mar 13, 2019 at 11:20 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ke, 13 maalis 2019, fujisan wrote:
>Hi Alexander,
>Finally succeeded to make it work with the following configuration on the
>freeipa server.
>
>[global]
>    workgroup = MYDOMAIN.LOCAL
>    netbios name = MYSERVER
>    realm = MYDOMAIN.LOCAL
>    kerberos method = dedicated keytab
>    dedicated keytab file = /etc/samba/samba.keytab
>    create krb5 conf = no
>    security = user
>    domain master = yes
>    domain logons = yes
>    max log size = 100000
>    log file = /var/log/samba/log.%m
>    rpc_server:epmapper = external
>    rpc_server:lsarpc = external
>    rpc_server:lsass = external
>    rpc_server:lsasd = external
>    rpc_server:samr = external
>    rpc_server:netlogon = external
>    rpc_server:tcpip = yes
>    rpc_daemon:epmd = fork
>    rpc_daemon:lsasd = fork
>    smb ports = 139 445
>    log level = 10
>
>[scratch]
>    path = /data/scratch
>    comment = Scratch shared files
>    read only = no
>    browseable = yes
>    guest ok = no
>    create mask = 0644
>
>I commented out the following from the global section:
>
>        ;passdb backend =
>ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
>        ;disable spoolss = yes
>        ;ldapsam:trusted = yes
>        ;ldap ssl = off
>        ;ldap suffix = dc=mydomain,dc=local
>        ;ldap user suffix = cn=users,cn=accounts
>        ;ldap group suffix = cn=groups,cn=accounts
>        ;ldap machine suffix = cn=computers,cn=accounts
>
>Any idea why this was causing trouble?
You basically killed IPA integration here by doing it. Not resolving
users and SIDs through IPA LDAP and not setting up any other way to
resolve it.

>Also, when i check in the properties, tab "security" in windows, of a file
>in the freeipa server's share /data/scratch, the SIDs of user and group are
>not resolved.
>My desktop is also a samba server and the SIDs are resolved.
>
>What could be the cause of this non-resolution of the SIDs?
Everything. ;)

We do not support yet properly running Samba file server on IPA member
(or IPA master, for that matter). I'm working on that and have some
proof of concept but it is not finished yet.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland