On ke, 13 maalis 2019, fujisan wrote:
Hi Alexander,
Finally succeeded to make it work with the following configuration on the
freeipa server.
[global]
workgroup = MYDOMAIN.LOCAL
netbios name = MYSERVER
realm = MYDOMAIN.LOCAL
kerberos method = dedicated keytab
dedicated keytab file = /etc/samba/samba.keytab
create krb5 conf = no
security = user
domain master = yes
domain logons = yes
max log size = 100000
log file = /var/log/samba/log.%m
rpc_server:epmapper = external
rpc_server:lsarpc = external
rpc_server:lsass = external
rpc_server:lsasd = external
rpc_server:samr = external
rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
smb ports = 139 445
log level = 10
[scratch]
path = /data/scratch
comment = Scratch shared files
read only = no
browseable = yes
guest ok = no
create mask = 0644
I commented out the following from the global section:
;passdb backend =
ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
;disable spoolss = yes
;ldapsam:trusted = yes
;ldap ssl = off
;ldap suffix = dc=mydomain,dc=local
;ldap user suffix = cn=users,cn=accounts
;ldap group suffix = cn=groups,cn=accounts
;ldap machine suffix = cn=computers,cn=accounts
Any idea why this was causing trouble?
You basically killed IPA integration here by
doing it. Not resolving
users and SIDs through IPA LDAP and not setting up any other way to
resolve it.
Also, when i check in the properties, tab "security" in
windows, of a file
in the freeipa server's share /data/scratch, the SIDs of user and group are
not resolved.
My desktop is also a samba server and the SIDs are resolved.
What could be the cause of this non-resolution of the SIDs?
Everything. ;)
We do not support yet properly running Samba file server on IPA member
(or IPA master, for that matter). I'm working on that and have some
proof of concept but it is not finished yet.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland