Hello all,
I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Limitations%7C
The internal DNS does not support: zone transfers
https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_Win...
Conditional forwarders are not implemented yet
I THINK I got DNS actually working , but had to use solution like here https://www.redhat.com/archives/freeipa-users/2012-October/msg00194.html
Although Petr says to stay away from forwarders in IPA
Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA as subdomain of AD ?
On both samba4 and freeipa machine I can currently dig SRV records for both domains , but when I attempt ipa add-trust, I see in httpd error logs
[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR: Attempt to solve forest trust topology conflicts [Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
Which leads me to believe that no, DNS is not working correctly ( I have all firewall/iptables off and selinux off).
I can give more concrete/examples , but before get lost in the weeds wanted to know on broad consensus is it even possible or known bad issues with Samba AD ?
Like here https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says
In order to get properly working MIT krb5-based Samba4 build one have to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build.
Which I'm confused ... how to get I get AD trust, if I'm setting up samba without AD abilities??
Yet here https://www.freeipa.org/page/Windows_authentication_against_FreeIPA It recommends a. If you have an AD ( Microsoft ) , use it b. If you don't have a Microsoft AD , setup Samba4
but it can be configured to trust FreeIPA
Does anyone know of a complete A..Z example of how to do that? (what options were used to configure Samba and Freeipa, etc)
Thanks
On pe, 10 elo 2018, D Anderson via FreeIPA-users wrote:
Hello all,
I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
The documentation is only conflicting if you are using it in a conflicting way.
What is your use case, in the first place?
You want to run Samba AD DC and establish a trust from it to FreeIPA?
For long time Samba AD DC lacked support for forest trust, thus it was not possible to use it against FreeIPA. In 2015-17 Red Hat together with SerNet worked on improvements in this area in Samba. The changes were pushed out with various Samba releases but I'd recommend looking at Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD DC based on Heimdal -- if you run the process from IPA side.
The choice of Kerberos library is important. Samba AD DC with MIT Kerberos still is broken regarding trust to FreeIPA. The fixes went out recently to SSSD 1.16.3 (released today) and Samba 4.9RC2. FreeIPA part of changes is still not released as we were waiting on the other upstream changes first and were busy finishing FreeIPA 4.7.0 release too.
So, right now it is of a mixed setup. You might get FreeIPA to establish trust to Samba AD DC built with Heimdal, Samba version 4.7 or later. Things might get broken, though, as it is known to fail some edge cases without my patches to SSSD and FreeIPA.
On ma, 13 elo 2018, Alexander Bokovoy via FreeIPA-users wrote:
On pe, 10 elo 2018, D Anderson via FreeIPA-users wrote:
Hello all,
I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
The documentation is only conflicting if you are using it in a conflicting way.
What is your use case, in the first place?
You want to run Samba AD DC and establish a trust from it to FreeIPA?
For long time Samba AD DC lacked support for forest trust, thus it was not possible to use it against FreeIPA. In 2015-17 Red Hat together with SerNet worked on improvements in this area in Samba. The changes were pushed out with various Samba releases but I'd recommend looking at Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD DC based on Heimdal -- if you run the process from IPA side.
The choice of Kerberos library is important. Samba AD DC with MIT Kerberos still is broken regarding trust to FreeIPA. The fixes went out recently to SSSD 1.16.3 (released today) and Samba 4.9RC2. FreeIPA part of changes is still not released as we were waiting on the other upstream changes first and were busy finishing FreeIPA 4.7.0 release too.
Ah, I spoke too early: MIT version of Samba AD DC is still lacking the fixes needed to support trust to FreeIPA upstream. The patchset is on review and needs few more fixes to tests as we are correcting the way how trusted domain object's account credentials are salted in Kerberos. These changes yet to be committed upstream.
Hi Alex,
The documentation is only conflicting if you are using it in a
conflicting way.
The choice of Kerberos library is important. Samba AD DC with MIT
Kerberos still is broken regarding trust to FreeIPA.
Pardon my ignorance, I am just going by the documentation as is w/ no prior knowledge ... where in the documentation is that specified? The two main documentation pages I see when googling "freeipa AD trust" are:
https://www.freeipa.org/page/Active_Directory_trust_setup https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
1. If you do not have AD then use Samba 4 instead of it. As of Samba 4.3, Samba AD can establish cross-realm trusts. The feature is still incomplete and lacks proper access controls but it can be configured to trust FreeIPA.
It has no caveats or warnings on how samba is to be compiled/configured.
This older doc https://www.freeipa.org/page/IPAv3_AD_trust#Samba does, but is for IPaV3 (which I assumed was outdated).
I thought Samba by default used Heimdal , but you warn that kerberos is the broken implementation.
The changes were pushed out with various Samba releases but I'd recommend
looking at Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD DC based on Heimdal
I am using samba 4.8.3 compiled from source , is it recommended to instead use the Redhat RPM one (currently appears to be 4.7.1 ) I configured with
./configure --enable-debug --enable-selftest --with-ads --with-systemd
--with-winbind
The other confusing parts, at least to me, in regards to Samba setup ... do you know a working configuration using the samba internal-dns , or do you have to use the bind9 DLZ backend? Regardless of the kerberos , I still think my preliminary issue is with DNS as I see the errors
ipa: ERROR: Attempt to solve forest trust topology conflicts [Fri Aug 10
11:58:43.125865 2018] [:error] [pid 6169]
ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified
domain did not exist.')
I understand this is the FreeIPA forum , and you can't be responsible for the documentation or limitations of Samba ... Its just YOUR documentation does say you can use Samba ... is that just in theory or is there an actual working case of it somewhere.
Most ALL of the documentation I've seen seems very specific to "Windows 2008 DC" (or similar) , am I chasing a wild goose chase, or is there some exact specific combination of how you configure Samba ( kerberos, DNS backend, etc) that it will work with FreeIPA.
Backing up to answer your basic question
What is your use case, in the first place? You want to run Samba AD DC and establish a trust from it to FreeIPA?
Yes, I am trying to implement a SSO solution for log on accounts for both windows10 clients and linux clients (and other web/Oauth services that already integrate into freeipa)
It was my understanding, that the current/only way to do this was
1) Run Samba AD that has Users accounts 2) establish trust from freeipa -> Samba
On Mon, Aug 13, 2018 at 9:51 AM, Alexander Bokovoy abokovoy@redhat.com wrote:
On ma, 13 elo 2018, Alexander Bokovoy via FreeIPA-users wrote:
On pe, 10 elo 2018, D Anderson via FreeIPA-users wrote:
Hello all,
I am confused by some of the conflicting documentation about whether this is possible or not. Almost all of the documentation/working examples seem to use an actual Windows Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has several know limitations.
The documentation is only conflicting if you are using it in a conflicting way.
What is your use case, in the first place?
You want to run Samba AD DC and establish a trust from it to FreeIPA?
For long time Samba AD DC lacked support for forest trust, thus it was not possible to use it against FreeIPA. In 2015-17 Red Hat together with SerNet worked on improvements in this area in Samba. The changes were pushed out with various Samba releases but I'd recommend looking at Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD DC based on Heimdal -- if you run the process from IPA side.
The choice of Kerberos library is important. Samba AD DC with MIT Kerberos still is broken regarding trust to FreeIPA. The fixes went out recently to SSSD 1.16.3 (released today) and Samba 4.9RC2. FreeIPA part of changes is still not released as we were waiting on the other upstream changes first and were busy finishing FreeIPA 4.7.0 release too.
Ah, I spoke too early: MIT version of Samba AD DC is still lacking the fixes needed to support trust to FreeIPA upstream. The patchset is on review and needs few more fixes to tests as we are correcting the way how trusted domain object's account credentials are salted in Kerberos. These changes yet to be committed upstream.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On Mon, 13 Aug 2018, Hacker Sword via FreeIPA-users wrote:
Hi Alex,
The documentation is only conflicting if you are using it in a
conflicting way.
The choice of Kerberos library is important. Samba AD DC with MIT
Kerberos still is broken regarding trust to FreeIPA.
Pardon my ignorance, I am just going by the documentation as is w/ no prior knowledge ... where in the documentation is that specified? The two main documentation pages I see when googling "freeipa AD trust" are:
This is a generic 'setup a trust to Active Directory' page. Its content was written and tested while using Active Directory implementation from Microsoft.
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
- If you do not have AD then use Samba 4 instead of it. As of Samba
4.3, Samba AD can establish cross-realm trusts. The feature is still incomplete and lacks proper access controls but it can be configured to trust FreeIPA.
This is a page contributed by users. As with any wiki, it may contain incomplete or incorrect information.
It has no caveats or warnings on how samba is to be compiled/configured.
This older doc https://www.freeipa.org/page/IPAv3_AD_trust#Samba does, but is for IPaV3 (which I assumed was outdated).
This one is a general architecture page for IPA itself, written at the time when we started working on a trust to AD feature. Samba AD DC was not ready at that point for any forest trust.
I thought Samba by default used Heimdal , but you warn that kerberos is the broken implementation.
Things pretty much depend on your choice of distribution and compile options.
The changes were pushed out with various Samba releases but I'd recommend
looking at Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD DC based on Heimdal
I am using samba 4.8.3 compiled from source , is it recommended to instead use the Redhat RPM one (currently appears to be 4.7.1 ) I configured with
./configure --enable-debug --enable-selftest --with-ads --with-systemd
--with-winbind
This would use embedded heimdal build, I believe.
The other confusing parts, at least to me, in regards to Samba setup ... do you know a working configuration using the samba internal-dns , or do you have to use the bind9 DLZ backend? Regardless of the kerberos , I still think my preliminary issue is with DNS as I see the error.
ipa: ERROR: Attempt to solve forest trust topology conflicts [Fri Aug 10
11:58:43.125865 2018] [:error] [pid 6169]
ipa: ERROR: non-public: NTSTATUSError: (-1073741601, 'The specified
domain did not exist.')
This doesn't look related to DNS but rather to a particular feature of a forest trust where you are using overlapping names for any of 'NetBIOS name', 'DNS domain name', or SIDs for domains from both forests.
I understand this is the FreeIPA forum , and you can't be responsible for the documentation or limitations of Samba ... Its just YOUR documentation does say you can use Samba ... is that just in theory or is there an actual working case of it somewhere.
Our documentation does not say anything about that. Wiki may have mentions of some practical scenarios some users had success with.
FreeIPA release documentation is hosted at Red Hat's site, not on the FreeIPA wiki.
Most ALL of the documentation I've seen seems very specific to "Windows 2008 DC" (or similar) , am I chasing a wild goose chase, or is there some exact specific combination of how you configure Samba ( kerberos, DNS backend, etc) that it will work with FreeIPA.
https://github.com/abbra/cockpit-app-samba-ad/blob/master/lib/samba-ad-setup... contains the actual sequence I'm using on Fedora 28 to automatically configure Samba AD DC, where ${options.setup_type} is 'dc'.
Except for the bit of a generated krb5.conf config snippet, this should work regardless which Kerberos option you did choose to use. The kerberos bit is specific for MIT Kerberos because older Heimdal version embedded in Samba does not support directory includes.
Without the patches I was talking about in this thread you would not be able to establish trust from Samba side (e.g. using samba-tool).
Backing up to answer your basic question
What is your use case, in the first place? You want to run Samba AD DC and establish a trust from it to FreeIPA?
Yes, I am trying to implement a SSO solution for log on accounts for both windows10 clients and linux clients (and other web/Oauth services that already integrate into freeipa)
It was my understanding, that the current/only way to do this was
- Run Samba AD that has Users accounts
- establish trust from freeipa -> Samba
Correct, with the replacement that it is really about a compliant Active Directory deployment that supports proper forest trust rather than Samba AD DC specifically.
And Windows 10 clients should be of a version that actually supports enrolling into Active Directory.
Hi Alexander Bokovoy.
Do we have new about this? Is it possible now?
Thanks.
On ma, 01 huhti 2019, Cosme Corrêa via FreeIPA-users wrote:
Hi Alexander Bokovoy.
Do we have new about this? Is it possible now?
Could you please quote a proper context?
On 14 August 2018 at 01:38, Hacker Sword via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi Alex,
The documentation is only conflicting if you are using it in a
conflicting way.
The choice of Kerberos library is important. Samba AD DC with MIT
Kerberos still is broken regarding trust to FreeIPA.
Pardon my ignorance, I am just going by the documentation as is w/ no prior knowledge ... where in the documentation is that specified? The two main documentation pages I see when googling "freeipa AD trust" are:
https://www.freeipa.org/page/Active_Directory_trust_setup https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
I believe that the canonical documentation for FreeIPA is now the RedHat 7 documentation. These two very elegant URLs are the best documentation at the moment:
https://access.redhat.com/articles/1586893
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Cheers L.
freeipa-users@lists.fedorahosted.org