On ke, 18 tammi 2023, Николай Савельев via FreeIPA-users wrote:
Hi.
I have samba on centos 7, verion 4.8.3. It set up it with this instruction
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
Difference only - security = user, becose with ads I cant connect.
Also I have AD integrations and linux acls on shares, all works fine.
Now I want to migrate on Oracle Linux 8. There is samba versions from
4.9.1-8.el8 to 4.16.4-2.0.1.el8.
I make same settings on new server.
But with versions 4.15 - 4.16 I can't connect to the server from windows
clients. And can connect from Linux client (Ubuntu 20.04).
With versions 4.9 - 4.14 I can connect to the server from both types
clients, but there is strange situation with acls.
setfacl -m user:username@ad_domain:rwx -R dir/ - ad user can write,read
setfacl -m group:ipa_group:rwx -R dir/ - ad user can't into directory,
from ubuntu doesnt see dir
I add AD group wia external group to ipa. With centos 7 all works fine.
On the new server I can see ad user into ipa group and ad group.
Also, I can work with this dirs via NFS - all works properly for IPA and
AD users and groups.
Any ideas? What did I miss?
Since RHEL 8.1 or so, the supported configuration to set up a Samba file
server on IPA client is described here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
The specific part is
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
This configuration still has its limitations but the case you describe
above should be working just fine if you set things the way
documentation tells you.
This setup was not possible on RHEL 7. You can get more technical
details at FreeIPA design pages:
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-mem...
and
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-con...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland