Date: Wed, 13 Jun 2018 22:11:23 +0300 From: Alexander Bokovoy abokovoy@redhat.com Subject: [Freeipa-users] Re: Hardship setting up samba share that depends on IPA trust with AD
Yes, it is not supported right now.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Subject: Digest Footer
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: ${hyperkitty_url}
End of FreeIPA-users Digest, Vol 14, Issue 14
Hi, Alexander. I write article for russian it portal about freeipa. I want to say about samba, ipa with ad trust and problems. May I use your phrases in sthis mail list as an expert opinion? I want to caution other peoples from troubles with ipa.
On to, 14 kesä 2018, Николай Савельев wrote:
Date: Wed, 13 Jun 2018 22:11:23 +0300 From: Alexander Bokovoy abokovoy@redhat.com Subject: [Freeipa-users] Re: Hardship setting up samba share that depends on IPA trust with AD
Yes, it is not supported right now.
Hi, Alexander. I write article for russian it portal about freeipa. I want to say about samba, ipa with ad trust and problems. May I use your phrases in sthis mail list as an expert opinion? I want to caution other peoples from troubles with ipa.
It is all written on the wiki: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
-------- NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication.
NOTE: When a Windows client accesses shares, Windows UI will need to be able to resolve SIDs in access control lists. Inability to do so will affect user experience and the way how applications are expected to work with the share. A set of experiments in 2017 have demonstrated that Microsoft does not test various fall backs around this behavior and only consider the path used by Windows UI to communicate with a Global Catalog service. It is also a 'client-specific' behavior and thus is not subject of a protocol interoperability or being documented anywhere. While for some applications/use cases it may work, it will not work for many others, thus we cannot really qualify it as a supported solution from FreeIPA side. --------
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Николай Савельев