On ti, 08 touko 2018, Nathan Brown wrote:
Thanks for the quick reply. We are wanting to “migrate” (manually) to
IPA 4 (from IPA 3) and wish to use the new ipaNTHash attributes instead
of the legacy Samba LDAP schema. The problem we are facing is that we
need to use ipasam.so with Samba 4 if we want use the new attributes.
At each site, we have an IPA 4 instance and Windows clients that need
to be joined to a domain and a Linux file server that needs to also run
Samba. I was hoping to use Samba4 AD with a Trust to the local IPA so
we can use the AD features.
I hope what we are trying to do (upgrade) makes sense. Do you have any
Trust between Samba AD and IPA would make sense, yes. Note that it
work with Heimdal-based Samba AD to a degree, but MIT build is broken. I
started looking into actual flow and found some areas where we needed
fixes in both SSSD and IPA too. Thus, I'm saying that this setup does
not work right now.
A part of the work can be tracked with https://github.com/SSSD/sssd/pull/522
These patch sets aren't finished yet...
>> On May 8, 2018, at 11:27, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
>> On ti, 08 touko 2018, Nathan Brown via FreeIPA-users wrote:
>> When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1
>> (MIT Kerberos), it fails with the following error:
>> [root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC
>> --range-type=ipa-ad-trust --two-way=true --admin=Administrator
>> --server dc.atlas5.hpc
>> Active Directory domain administrator's password:
>> ipa: ERROR: Insufficient access: CIFS server denied your credentials
> Trust between Samba 4.x and FreeIPA is not supported yet.
> I have some patches in progress but not finished yet.
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland