Hello all,
First post here. I have been researching for quite some time and as a Linux user I would
list myself as a medium level. Not an expert, but not new. I have a FreeIPA Server that is
setup as the central identity management server. I want to setup two shares within samba
using FreeIPA as the auth source. Please any and all help is welcomed. I am doing this for
learning purposes so an pointers are helpful as well.
Share1: public
Share2: homes
Here are a few sites\articles I have read and tried to glean off of:
https://www.freeipa.org/page/Howto/I...erver_With_IPA
https://bgstack15.wordpress.com/2017...-freeipa-auth/
https://centos.org/forums/viewtopic.php?f=50&t=61110
https://www.centos.org/docs/5/html/D...a-servers.html
I "think" that the problem i'm facing is either a
permissions\security(firewalld\selinux) or configuration issue. I am not the best with
SELinux yet, but I do want to use it so turning it off permanently is not an option.
When trying from a windows 7 VM I get the message "You do not have permission to
access \\samba.domain.com" checking from another Linux client that's already on
the FreeIPA domain and running as the admin user I get this message:
[root@Desktop ~]# kinit admin
Password for admin(a)DOMAIN.COM:
[root@Desktop ~]# smbclient -k -L
samba.domain.com
session setup failed: NT_STATUS_ACCESS_DENIED
[root@Desktop ~]# smbclient -k //samba.domain.com/public
session setup failed: NT_STATUS_ACCESS_DENIED
Below are the steps I have taken to attempt my setup...
[root@samba ~]# yum install ipa-client sssd-libwclient samba samba-client
[root@samba ~]# ipa-client-install --mkhomedir --force-ntpd
Discovery was successful!
Client hostname:
samba.domain.com
Realm:
DOMAIN.COM
DNS Domain:
domain.com
IPA Server:
ldap.domain.com
BaseDN: dc=domain,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin
Password for admin(a)DOMAIN.COM:
Successfully retrieved CA cert
Subject: CN=Certificate
Authority,O=DOMAIN.COM
Issuer: CN=Certificate
Authority,O=DOMAIN.COM
Valid From: 2017-09-22 16:17:45
Valid Until: 2037-09-22 16:17:45
....
....
......
[root@samba ~]# kinit admin
Password for admin(a)PWG-WORLD.COM:
[root@samba ~]# authconfig --enablesssdauth --enablemkhomedir --update
[root@samba ~]# man ipa-getkeytab
[root@samba ~]# ipa-getkeytab -s
ldap.pwg-world.com -p
cifs/samba.pwg-world.com -k
/etc/samba/samba.keytab
Keytab successfully retrieved and stored in: /etc/samba/samba.keytab
[root@samba ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp
[root@samba ~]# vi /etc/samba/smb.conf
~~~~~~~~~~~~~~~~~~~~~~/etc/samba/smb.conf~~~~~~~~~~~~~~~~~~~~~~
[global]
workgroup = DOMAIN
realm =
DOMAIN.COM
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
log file = /var/log/samba/log.%m
security = ads
[homes]
browsable = no
writable = yes
[shared]
path = /home/shared
writable = yes
browsable = yes
write list = @admins
[public]
path = /public
writable = yes
browsable = yes
valid users = @ipausers
~~~~~~~~~~~~~~~~~~~~~~/etc/samba/smb.conf~~~~~~~~~~~~~~~~~~~~~~
[root@samba ~]# setsebool -P samba_enable_home_dirs on
[root@samba ~]# semanage fcontext -a -t samba_share_t "/public(/.*)?"
[root@samba ~]# restorecon -Rv /public
restorecon reset /public context
system_u:object_r:public_content_rw_t:s0->system_u:object_r:samba_share_t:s0
[root@samba ~]# firewall-cmd --permanent --add-service=samba
success
[root@samba ~]# firewall-cmd --reload
success
For the ldap portion:
[root@ldap ~]# kinit admin
Password for admin(a)domain.COM:
[root@ldap ~]# ipa service-add
cifs/samba.domain.com
------------------------------------------------------
Added service "cifs/samba.domain.com(a)DOMAIN.COM"
------------------------------------------------------
Principal name: cifs/samba.domain.com(a)DOMAIN.COM
Principal alias: cifs/samba.domain.com(a)DOMAIN.COM
Managed by:
samba.domain.com
FreeIPA Server Version:
[root@ldap ~]# rpm -qa | grep ipa-server
ipa-server-trust-ad-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-4.5.0-21.el7.centos.1.2.x86_64
ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
ipa-server-dns-4.5.0-21.el7.centos.1.2.noarch
FreeIPA Client Version:
[root@samba ~]# rpm -qa | grep ipa-client
ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
ipa-client-4.5.0-21.el7.centos.1.2.x86_64