7:59 a.m.
Hi,
A belated thanks for the reply and I seem to have solved the problem. The cause might have
been obvious to others, but I will describe it here briefly in case it helps others:
- We have a FreeIPA server and this exports a number of directories by Samba. FreeIPA was
setup as described above and Samba as described here
(https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_I...).
- There is no trust with the Windows domain / AD. Some of the users are also using OSX.
- FreeIPA users were unable to mount the Samba shares if they entered
\\samba.linux.company.local\samba_share_name in e.g. Windows Explorer.
- The issue was that I had changed the users' UIDs and GIDs from those automatically
assigned by the Web UI to their current values to aid migration. The values were then
outside of the local domain range defined in the IPA server > ID ranges tab of the Web
UI. As soon as this range was changed (in my case through reinstalling FreeIPA server with
the option "--idstart=2000") the users could mount the shares from Windows.
A bit frustrating, but still a lot easier than setting up LDAP even without Samba! :-)
Somewhat off-topic. Does anyone know if the connection between the clients (Windows or
OSX) and the FreeIPA/Samba server is encrypted or how I could find this out? This is the
output of 'net conf list':
[global]
workgroup = LINUX
netbios name = IPA
realm = LINUX.CRELUX.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
log level = 1
max log size = 100000
log file = /var/log/samba/log.%m
passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-LINUX-CRELUX-LOCAL.socket
disable spoolss = yes
ldapsam:trusted = yes
ldap ssl = off
ldap suffix = dc=linux,dc=crelux,dc=local
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
I guess from the line 'ldap ssl = off' that the user credentials are being sent in
plain-text. Is this correct?
Best regards,
Rob