Thanks for the suggestions so far!
I'm documenting this on this thread because I found out why the previous system had the custom sambaSamAccount attributes: They seem to be necessary to authenticate SMB shares when FreeIPA is the LDAP backend to a Synology NAS. If I try to set LDAP authentication now, I get this error on Synology DSM:
Issue Details: The LDAP server does not support Samba schema. ... Recommended action: Enable CIFS plain text password authentication. [and
if you do], this DSM cannot be the remote mount target of CIFS.
Some past threads on freeipa-users (mostly for TrueNAS) suggest that the Samba schema attributes are deprecated in favour of something using Kerberos, but I do not get that option in Synology at all.
I believe the previous sysadmins of our shop must have followed this guide by Markus Opolka, or a similar HOWTO: https://blog.cubieserver.de/2018/synology-nas-samba-nfs-and-kerberos-with-fr...
That would explain why I couldn't create users with the Web interface in my new FreeIPA (4.11) instance; this guide necessitates manual setting of the Samba attributes via command-line `ipa user-add` flags.
However, it is then a mystery to me why user account creation worked via Web interface in the old (4.5) instance.
I'm not sure how to proceed here since CIFS mounting is one of our users' primary uses of LDAP in the first place. Maybe I'll recreate the Samba attributes after all, try to restore the previous values from backups, and document properly how to create users with the command-line options.
[]s
Am Mo., 29. Jan. 2024 um 14:52 Uhr schrieb Alexander Bokovoy < abokovoy@redhat.com>:
On Пан, 29 сту 2024, Melissa Ferreira da Silva Boiko via FreeIPA-users wrote:
Seems like it has "ipaUserObjectClasses: sambasamaccount" which I see mentioned in very old threads about Samba support only. Here's the full config:
Thanks. You can remove sambaSamAccount by running
$ ipa config-mod --delattr=ipaUserObjectClasses=sambaSamAccount
Same applies to shadowAccount which we don't use by default either.
dn: cn=ipaConfig,cn=etc,dc=example,dc=local ipamaxusernamelength: 32 ipahomesrootdir: /home ipadefaultloginshell: /bin/bash ipadefaultprimarygroup: ipausers ipadefaultemaildomain: example.com ipasearchtimelimit: 2 ipasearchrecordslimit: 100 ipausersearchfields: uid,givenname,sn,telephonenumber,ou,title ipagroupsearchfields: cn,description ipamigrationenabled: FALSE ipacertificatesubjectbase: O=EXAMPLE.LOCAL ipapwdexpadvnotify: 4 ipaconfigstring: AllowNThash ipaconfigstring: KDC:Disable Last Success ipaselinuxusermaporder:guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
ipaselinuxusermapdefault: unconfined_u:s0-s0:c0.c1023 ipakrbauthzdata: MS-PAC ipakrbauthzdata: nfs:NONE ipauserauthtype: disabled ipauserauthtype: password cn: ipaConfig ipaGroupObjectClasses: top ipaGroupObjectClasses: groupofnames ipaGroupObjectClasses: nestedgroup ipaGroupObjectClasses: ipausergroup ipaGroupObjectClasses: ipaobject ipaMaxHostnameLength: 64 ipaUserObjectClasses: top ipaUserObjectClasses: person ipaUserObjectClasses: organizationalperson ipaUserObjectClasses: inetorgperson ipaUserObjectClasses: inetuser ipaUserObjectClasses: posixaccount ipaUserObjectClasses: krbprincipalaux ipaUserObjectClasses: krbticketpolicyaux ipaUserObjectClasses: ipaobject ipaUserObjectClasses: ipasshuser ipaUserObjectClasses: sambasamaccount ipaUserObjectClasses: shadowAccount objectClass: nsContainer objectClass: top objectClass: ipaGuiConfig objectClass: ipaConfigObject objectClass: ipaUserAuthTypeClass objectClass: ipaNameResolutionData
Thanks! -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email tofreeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland