On ti, 08 touko 2018, Nathan Brown wrote:
Alexander,
Thanks for the quick reply. We are wanting to “migrate” (manually) to IPA 4 (from IPA 3) and wish to use the new ipaNTHash attributes instead of the legacy Samba LDAP schema. The problem we are facing is that we need to use ipasam.so with Samba 4 if we want use the new attributes.
At each site, we have an IPA 4 instance and Windows clients that need to be joined to a domain and a Linux file server that needs to also run Samba. I was hoping to use Samba4 AD with a Trust to the local IPA so we can use the AD features.
I hope what we are trying to do (upgrade) makes sense. Do you have any recommendations?
Trust between Samba AD and IPA would make sense, yes. Note that it would work with Heimdal-based Samba AD to a degree, but MIT build is broken. I started looking into actual flow and found some areas where we needed fixes in both SSSD and IPA too. Thus, I'm saying that this setup does not work right now.
A part of the work can be tracked with https://github.com/SSSD/sssd/pull/522, https://lists.samba.org/archive/samba-technical/2018-March/125974.html, and https://github.com/abbra/freeipa/commits/trust-samba-ad These patch sets aren't finished yet...
Thanks,
nate
On May 8, 2018, at 11:27, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 08 touko 2018, Nathan Brown via FreeIPA-users wrote: When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1 (MIT Kerberos), it fails with the following error:
[root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC --range-type=ipa-ad-trust --two-way=true --admin=Administrator --server dc.atlas5.hpc Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials
Trust between Samba 4.x and FreeIPA is not supported yet. I have some patches in progress but not finished yet.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland