Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1009093
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Warn about 'ldap passwd sync = yes' - it attempts to update LM/NT hashes when password is updated. This is not supported mode in IPA case since IPA handles password changes by itself. Inform that with FreeIPA 3.x and use of trusts feature we already have means to manage all group attributes and passwords without really enforcing use of alternative Samba groups LDAP schema. What is needed is a validation of a Samba-based file server setup relying on this configuration. Produce instructions on how to set up samba file server - on FreeIPA.org wiki or User Guide. Alternatively, think about extending ipa-advise tool with a recipe.
ldap passwd sync should be set to 'only'
Samba provides an API, PASSDB, for connecting to a data store for user/password/domain topology information. There is ldapsam module in Samba that implements the API for accessing LDAP store. It could be used with FreeIPA, like http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/
Note, however, this is suboptimal -- as you can see from the article above IPA uses different LDAP scheme to store information. In addition, ldapsam isn't providing a secure way to authenticate to the LDAP server which means you are going to deal with password exposure of an account that will be used for authentication -- and many people are really low at this, using admin account in ldapsam configuration.
We have a module, ipasam, in FreeIPA, which supports all IPA scheme details. However, it is assumed to be running on IPA masters. This is in general not really a tight requirement, just a current state of affairs:
A module needs to be packaged separately from freeipa-server-trust-ad (like freeipa-samba-module) so that it could be installed without requiring full FreeIPA master.
The ipasam module relies on GSSAPI authentication. We define a principal, cifs/hostname, fetch its key and allow it to authenticate to LDAP. As result, it is signed and encrypted connection, with proper protection of the key material.
hostname
On the LDAP server side we have access controls in place that limit access to passwords (hashes, Kerberos keys, etc) only to a selected number of parties. A user can access its own password, 'trust agents' group can access the user passwords, admin can access-and-taint the password upon modification. Everybody else cannot see the fields at all. Admin's tainting of the password means that any change of the password through Samba and ldapsam (with admin account) would cause user password to be reset and requiring a change next time user would need to log in.
'trust agents' group also has access to a domain topology information and trust objects, specifically, their auth fields which is not really required for a normal Samba file server. We need to create another group, 'cifs servers', that would need to gain a new set of ACI, limiting its use to what is really needed for file serving and authentication against IPA.
In addition, ipasam then needs to gain a code to deal with cases when it cannot real trust object auth info, instead of failing.
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: Future Releases
https://lists.samba.org/archive/samba-technical/2018-November/131274.html describes my current approach to the problem and what is still missing to complete it.
Metadata Update from @abbra: - Issue close_status updated to: None
Metadata Update from @rcritten: - Issue tagged with: documentation
Current implementation of a toolset to enable Samba file server on IPA domain member is provided in https://github.com/freeipa/freeipa/pull/3267. It is WIP but mostly working, the remaining bits to implement are:
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=837604 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1009093)
ipa-4-8:
Metadata Update from @abbra: - Custom field changelog adjusted to Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests
Login to comment on this ticket.