Hello everyone,
does somebody now if it now possible to build a Trust between Samba 4.10 with MIT-Kerberos and Freeipa Version 4.7. The last entry about this thing is about a year old. Maybe someone here in this List have new Information for me.
Regards Dirk
On ma, 13 touko 2019, Dirk Streubel via FreeIPA-users wrote:
Hello everyone,
does somebody now if it now possible to build a Trust between Samba 4.10 with MIT-Kerberos and Freeipa Version 4.7. The last entry about this thing is about a year old. Maybe someone here in this List have new Information for me.
You may try with versions in Fedora 30 (updates). It includes FreeIPA 4.7.90.pre1 which has some improvements in this area.
Thanks a lot for your quick answer. :) I will try it.
See you at SambaXP next month in Göttingen, Germany ;)
Regards Dirk
On ma, 13 touko 2019, Dirk Streubel via FreeIPA-users wrote:
Thanks a lot for your quick answer. :) I will try it.
See you at SambaXP next month in Göttingen, Germany ;)
I hope you'll enjoy the conference. Sadly, I'm not attending this year for family reasons.
Now i have a little problem with login as Domain Admin from the Windows Domain to the Ipaserver. kinit administrator@testlab.intranet... works. Klist tells everything is fine. But when i use putty to login an as an Domain Admin to the ipaserver nothing happens. I only see on the ipaserver in /var/log/secure the following message: May 17 12:01:49 ipaserver1 sshd[2061]: error: PAM: User not known to the underlying authentication module for illegal user administrator@testlab.intranet.... from 192.168.122.10 I have search with google but there is no help to see :(
Any idea?
Regards Dirk
On Mon, May 13, 2019 at 01:06:10PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 13 touko 2019, Dirk Streubel via FreeIPA-users wrote:
does somebody now if it now possible to build a Trust between Samba 4.10 with MIT-Kerberos and Freeipa Version 4.7. The last entry about this thing is about a year old. Maybe someone here in this List have new Information for me.
You may try with versions in Fedora 30 (updates). It includes FreeIPA 4.7.90.pre1 which has some improvements in this area.
Just to be sure: this is about AD users from a Samba-based domain accessing FreeIPA resources. The other way around (i.e. IPA users logging into Windows systems) is not expected to work, right?
AFAICT, it still hinges on the availability of a Global Catalog implementation on the IPA side. Correct?
Is your 2017 SambaXP talk[1] still an accurate description of what would need to happen to make this work?
Thanks, Lars
On pe, 17 touko 2019, Lars Seipel wrote:
On Mon, May 13, 2019 at 01:06:10PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 13 touko 2019, Dirk Streubel via FreeIPA-users wrote:
does somebody now if it now possible to build a Trust between Samba 4.10 with MIT-Kerberos and Freeipa Version 4.7. The last entry about this thing is about a year old. Maybe someone here in this List have new Information for me.
You may try with versions in Fedora 30 (updates). It includes FreeIPA 4.7.90.pre1 which has some improvements in this area.
Just to be sure: this is about AD users from a Samba-based domain accessing FreeIPA resources. The other way around (i.e. IPA users logging into Windows systems) is not expected to work, right?
Correct.
AFAICT, it still hinges on the availability of a Global Catalog implementation on the IPA side. Correct?
Correct.
Is your 2017 SambaXP talk[1] still an accurate description of what would need to happen to make this work?
Yes. I have some progress since that time in a bit of obscure areas around domain membership on IPA clients. Some of that work showed that in some cases it is possible to resolve IPA users' SIDs to names without global catalog too. I'm intending to look into that after landing domain member work soon.
On Fri, May 17, 2019 at 07:11:23PM +0300, Alexander Bokovoy wrote:
On pe, 17 touko 2019, Lars Seipel wrote:
On Mon, May 13, 2019 at 01:06:10PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
You may try with versions in Fedora 30 (updates). It includes FreeIPA 4.7.90.pre1 which has some improvements in this area.
Just to be sure: this is about AD users from a Samba-based domain accessing FreeIPA resources. The other way around (i.e. IPA users logging into Windows systems) is not expected to work, right?
Correct.
AFAICT, it still hinges on the availability of a Global Catalog implementation on the IPA side. Correct?
Correct.
Is your 2017 SambaXP talk[1] still an accurate description of what would need to happen to make this work?
Yes. I have some progress since that time in a bit of obscure areas around domain membership on IPA clients. Some of that work showed that in some cases it is possible to resolve IPA users' SIDs to names without global catalog too. I'm intending to look into that after landing domain member work soon.
Cool, thanks!
Lars
Hello Lars, hello Alexander,
yes, you are right Lars. It is about AD users from a Samba-based domain (Fedora 30 with Samba 4.10) accessing FreeIPA resources. I take this instruction from the official IPA Web Side (https://www.freeipa.org/page/Active_Directory_trust_setup) and i get no access as a Windows Domain Admin to freeipa Resources.
With Windows 2012 it works, no problem. :-(
Alexander, do yo have in Mind when the other way would be implemented. I think this would be a great feature to access as an FreeIPA User to an Windows / Samba AD and use Resource from the AD Side.
Regards Dirk
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Dirk Streubel -
Lars Seipel