On ke, 05 joulu 2018, Robert Byrne via FreeIPA-users wrote:
Hi,
A belated thanks for the reply and I seem to have solved the problem. The cause might have
been obvious to others, but I will describe it here briefly in case it helps others:
- We have a FreeIPA server and this exports a number of directories by Samba. FreeIPA was
setup as described above and Samba as described here
(
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_I...).
- There is no trust with the Windows domain / AD. Some of the users are also using OSX.
- FreeIPA users were unable to mount the Samba shares if they entered
\\samba.linux.company.local\samba_share_name in e.g. Windows Explorer.
- The issue was that I had changed the users' UIDs and GIDs from those automatically
assigned by the Web UI to their current values to aid migration. The values were then
outside of the local domain range defined in the IPA server > ID ranges tab of the Web
UI. As soon as this range was changed (in my case through reinstalling FreeIPA server with
the option "--idstart=2000") the users could mount the shares from Windows.
A bit frustrating, but still a lot easier than setting up LDAP even without Samba! :-)
Somewhat off-topic. Does anyone know if the connection between the clients (Windows or
OSX) and the FreeIPA/Samba server is encrypted or how I could find this out? This is the
output of 'net conf list':
[global]
workgroup = LINUX
netbios name = IPA
realm = LINUX.CRELUX.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-CRELUX-LOCAL.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=linux,dc=crelux,dc=local
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
I guess from the line 'ldap ssl = off' that the user credentials are being sent in
plain-text. Is this correct?
passdb backend is set to use 'ipasam' module
with LDAPI protocol which
is LDAP over Unix domain socket. It doesn't use SSL but instead uses
GSSAPI for authentication and signing. So first, the data is not sent
over network, only between two daemons on the same machine over a UNIX
domain socket. And second, the channel set up with GSSAPI and it is
encrypted even for that UNIX domain socket.
Use of 'ldap ssl = off' is to avoid hitting the code paths in Samba that
require to handle certificate for the case where they are not needed at
all.
Hope this helps.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland