freeipa

Clone
Source Code
GIT

#3999 [RFE] Fix and Document how to set up Samba File Server with IPA
Closed: fixed 4 years ago by abbra. Opened 10 years ago by mkosek.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1009093

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Warn about 'ldap passwd sync = yes' - it attempts to update LM/NT hashes when password is updated. This is not supported mode in IPA case since IPA handles password changes by itself.

Inform that with FreeIPA 3.x and use of trusts feature we already have means to manage all group attributes and passwords without really enforcing use of alternative Samba groups LDAP schema. What is needed is a validation of a Samba-based file server setup relying on this configuration.

Produce instructions on how to set up samba file server - on FreeIPA.org wiki or User Guide. Alternatively, think about extending ipa-advise tool with a recipe.

ldap passwd sync should be set to 'only'

Samba provides an API, PASSDB, for connecting to a data store for user/password/domain topology information. There is ldapsam module in Samba that implements the API for accessing LDAP store. It could be used with FreeIPA, like http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/

Note, however, this is suboptimal -- as you can see from the article above IPA uses different LDAP scheme to store information. In addition, ldapsam isn't providing a secure way to authenticate to the LDAP server which means you are going to deal with password exposure of an account that will be used for authentication -- and many people are really low at this, using admin account in ldapsam configuration.

We have a module, ipasam, in FreeIPA, which supports all IPA scheme details. However, it is assumed to be running on IPA masters. This is in general not really a tight requirement, just a current state of affairs:

A module needs to be packaged separately from freeipa-server-trust-ad (like freeipa-samba-module) so that it could be installed without requiring full FreeIPA master.

The ipasam module relies on GSSAPI authentication. We define a principal, cifs/hostname, fetch its key and allow it to authenticate to LDAP. As result, it is signed and encrypted connection, with proper protection of the key material.

On the LDAP server side we have access controls in place that limit access to passwords (hashes, Kerberos keys, etc) only to a selected number of parties. A user can access its own password, 'trust agents' group can access the user passwords, admin can access-and-taint the password upon modification. Everybody else cannot see the fields at all. Admin's tainting of the password means that any change of the password through Samba and ldapsam (with admin account) would cause user password to be reset and requiring a change next time user would need to log in.

'trust agents' group also has access to a domain topology information and trust objects, specifically, their auth fields which is not really required for a normal Samba file server. We need to create another group, 'cifs servers', that would need to gain a new set of ACI, limiting its use to what is really needed for file serving and authentication against IPA.

In addition, ipasam then needs to gain a code to deal with cases when it cannot real trust object auth info, instead of failing.

Metadata Update from @mkosek:
- Issue assigned to someone
- Issue set to the milestone: Future Releases
7 years ago

https://lists.samba.org/archive/samba-technical/2018-November/131274.html describes my current approach to the problem and what is still missing to complete it.

Metadata Update from @abbra:
- Issue close_status updated to: None
5 years ago

Metadata Update from @rcritten:
- Issue tagged with: documentation
4 years ago

Current implementation of a toolset to enable Samba file server on IPA domain member is provided in https://github.com/freeipa/freeipa/pull/3267. It is WIP but mostly working, the remaining bits to implement are:

  • synchronize host and SMB keytabs on IPA masters
  • rewrite design document to follow implemented flow
  • integrate with web UI / CLI for user trust attributes

master:

  • 84201e1 adtrust: add design document for Samba domain member on IPA client
  • cdb94e0 ipaserver.install.installutils: move commonly used utils to ipapython.ipautil
  • d85e055 ipapython.ipautil.run: allow skipping stdout/stderr logging
  • a423526 ipasam: add lookup of an account by SID
  • 91abd1f ipasam: add handling of machine accounts
  • 653f720 kdb: support SMB services on IPA domain members
  • d631e00 adtrust: update Samba domain controller keytab with host keys
  • afb8305 ipaserver.plugins.service: add service-add-smb to set up an SMB service
  • 814592c ipa-client-samba: a tool to configure Samba domain member on IPA client
  • e25392e prci: add test_integration/test_smb to the gating set

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=837604 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1009093)
4 years ago

master:

  • 339771b Remove unreachable code
  • c18ee9b Add SMB attributes for users

master:

  • 8d2125f Enable literal-comparison linter again
  • 0fc4b8c Fix wrong use of identity operation
  • 0d7eb0a Add new env vars to pylint plugin

ipa-4-8:

  • 70302ab Enable literal-comparison linter again
  • 4c17a9b Fix wrong use of identity operation
  • 576e2ce Add new env vars to pylint plugin

master:

  • 074bf28 ipatests: allow to pass additional options for clients installation
  • 3fa7865 ipatests: add utility functions related to using and managing user accounts
  • 1fe69f3 ipatests: modify run_command to allow specify successful return codes
  • 1d033b0 ipatests: refactor and extend tests for IPA-Samba integration

ipa-4-8:

  • c14aa5d ipatests: allow to pass additional options for clients installation
  • 0b62616 ipatests: add utility functions related to using and managing user accounts
  • a45662a ipatests: modify run_command to allow specify successful return codes
  • a4839f6 ipatests: refactor and extend tests for IPA-Samba integration

Metadata Update from @abbra:
- Custom field changelog adjusted to Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests
3 years ago

Login to comment on this ticket.

Metadata

documentation

None
None
normal
None
None
None
None
enhancement
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=837604
None
Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.