3:06 a.m.
Hey,
Is there any chance that the combination FreeIPA + Samba + Ubuntu
is going to work in the near future? So far I haven't been able to.
The main purpose is to give Windows users access to disk space
on our (Ubuntu) servers. And with their IPA credentials.
I know that Alexander knows a whole lot about Samba and FreeIPA.
But not so much about the combination with Ubuntu, I think (except that
Heimdal versus MIT Kerberos plays a role). Timo may know
more about the Ubuntu part, but I don't think he has the whole
setup with FreeIPA+Samba.
In 2016 (yes, that long ago) Alexander wrote [1]
"Let me comment as FreeIPA and Samba upstream developer.
Ubuntu's Samba build is done with Heimdal and you cannot build
ipasam.so against Heimdal, only MIT Kerberos. So you cannot use
Ubuntu-provided Samba build this way even if you'd recompile
FreeIPA with patches we have upstream to deal with
libpdb -> libsamba-pdb library name change.
So until Samba in Debian and Ubuntu is built against Heimdal Kerberos
(this is due to Debian/Ubuntu packaging Samba AD, not just Samba) it
is unlikely to have FreeIPA trust to AD working in Ubuntu. We are fairly
close with completing port of Samba AD to MIT Kerberos upstream, this
should happen in Samba 4.5-4.6 timeframe. Once that is done, we can
expect FreeIPA with trust to AD working on Debian-based platforms as
well."
It's 2019 now.
I've tried Ubuntu 18.04 (with Samba 4.7.6), but I still can't get it to work.
Possibly because MIT KDC is not enabled in Ubuntu's samba [2]. The
following test shows empty.
# smbd -b | grep HAVE_LIBKADM5SRV_MIT
Argh, what are my options?
[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1552249/comments/2
[2] https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
--
Kees Bakker