FreeIPA and Samba 3 Integration

FreeIPA makes a pretty excellent backend for Samba 3. While all the information one needs to set this up is available online, I wasn’t able to find it all  in one location so I’ve decided to try my best at filling that gap here on Hopefully this short guide will aid those trying to piece together the various parts necessary to integrate FreeIPA v2 and Samba 3, at least until FreeIPA v3 where there is talk of enabling Samba integration with a simple command line argument to the “ipa-server-install” script.

Not for Domains

It’s important to keep in mind that these instructions are not for a integrating FreeIPA with a Samba domain controller but merely a Samba file server. My understanding is that FreeIPA will never conveniently/properly support the necessary bits to make it a suitable backend for a Samba 3 PDC. I believe FreeIPA will eventually look towards Samba 4 integration (using Domain trusts) for this kind of integration but don’t quote me on that. Either way, these instructions are not for Samba domain controllers, just Samba file servers.

The Assumptions

There are some basic assumptions that these instructions make.

  • FreeIPA is installed and functional
  • You have a general idea of how to use LDAP command line tools
  • If you have a nice GUI LDAP browser, you can use it to apply the example LDIFs and edit the tree instead of the ldap CLI tools
  • The LDAP commands are executed on the FreeIPA server
  • Samba and FreeIPA are installed on the same server (although it shouldn’t be difficult to use TLS encryption with separate servers)
  • Your LDAP suffix is “dc=domain,dc=tld”
  • You know the difference between the “admin” account and the directory manager and their passwords

The Goods

Let’s not beat around the bush any further.

  1. Determine your Samba server SID by executing the following command while smbd is running and jot it down:
# net getlocalsid
SID for IPASERVER domain  is: S-1-5-21-3180075094-3458813485-3821849995
  1. With the “admin” kerberos ticket, add two attributes to “cn=ipaConfig,dc=etc,dc=domain,dc=tld” that tell FreeIPA to setup each account as a Samba account and each group as a Samba group:
ldapmodify -Y GSSAPI <<EOF
dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
changetype: modify
add: ipaUserObjectClasses
ipaUserObjectClasses: sambaSAMAccount
add: ipaGroupObjectClasses
ipaGroupObjectClasses: sambaGroupMapping
  1. With the directory manager password and the Samba SID you jotted down from above, create an instance of the 389 DS DNA plugin that will automatically generate SIDs for your users and groups which are necessary for use with Samba:
ldapadd -x -D "cn=Directory Manager" -W <<EOF
dn: cn=SambaGroupSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-3180075094-3458813485-3821849995-
dnainterval: 1
dnamagicregen: assign
dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=domain,dc=tld
cn: SambaSid
dnanextvalue: 15277

The thing to note here is that the “dnaprefix” is set to the SID your jotted down… PLUS a hyphen (“-“) appended to the end!

  1. Now we have to start modifying the FreeIPA API, CLI and WebUI to allow us to specify the “sambaGroupType” attribute at group creation time. We have to set “sambaGroupType” because it is a required attribute for the objectClass “sambaGroupMapping” which we are automatically adding to every group with the “ipaGroupObjectClasses” setting from earlier.

Although the value is going to be “4” for every conceivable case in this non-domain configuration, I was not able to figure out how to make the DNA plugin insert static values like it can set incrementing values so I decided to allow setting it through the CLI and WebUS with defaults enabled instead. If anyone knows how to setup 389 to automatically add an attribute with a static value upon DN creation of DNs with specific objectClasses, please tell me.

There are a few steps required to make this CLI/UI stuff happen but the FreeIPA developers have actually made this quite simple.

The rule is: Extend the FreeIPA schema first, then the CLI, then the WebUI.

4.1. Extend the FreeIPA schema with a custom field by adding the attribute “ipaCustomFields” with a value of “Samba Group Type,sambagrouptype,true” to “cn=ipaConfig,dc=etc,dc=domain,dc=tld” with an “admin” kerberos ticket:

ldapmodify -Y GSSAPI <<EOF
dn: cn=ipaconfig,cn=etc,dc=domain,dc=tld
changetype: add
add: ipaCustomFields
ipaCustomFields: "Samba Group Type,sambagrouptype,true"

As there can only be one “ipaCustomFields” attribute, if you have multiple custom fields you need to separate each definition with a “$” like so: “Samba Group Type,sambagrouptype,true$Description,attrname,isrequiredboolean”.

4.2. Extend the CLI for groups by editing the python file “/…/site-packages/ipalib/plugins/” to define the custom field and specify a default if not implicitly defined (diff):

---  2011-08-15 14:59:48.570715207 -0700
+++    2011-08-16 12:43:43.493236507 -0700
@@ -118,6 +118,13 @@
             doc=_('GID (use this option to set it manually)'),
+        Int('sambagrouptype',
+            cli_name='sgt',
+            label=_('Samba Group Type'),
+            doc=_('Samba Group Type (default is 4)'),
+            default=4,
+            autofill=True,
+        ),

Important: Restart “httpd” at this point!

4.3. Test the CLI. With an “admin” (or equivalent priv) kerberos ticket, try creating a new group:

$ ipa group-add testgrp --desc="Testing the CLI mods"
Added group "testgrp"
  Group name: testgrp
  Description: Testing the CLI mods
  GID: 1234500010
  Samba Group Type: 4

4.4 With the CLI functioning properly, we can move on to extending the WebUI. To extend the WebUI for group attributes, edit “/usr/share/ipa/ui/group.js” like so (diff):

--- group.js.orig  2011-08-15 10:01:28.515209121 -0700
+++ group.js    2011-08-16 13:52:59.587352034 -0700
@@ -34,6 +34,7 @@
                 column({name: 'cn'}).
                 column({name: 'gidnumber'}).
                 column({name: 'description'}).
+                column({name: 'sambagrouptype'}).
                         'name': 'add',
@@ -41,6 +42,7 @@
                         field(IPA.text_widget({name: 'cn', undo: false})).
                         field(IPA.text_widget({name: 'description', undo: false})).
+                        field(IPA.select_widget({name: 'sambagrouptype', undo: false, options: [{label: 'Local', value: 4}, {label: 'Domain', value: 2}]})).
                             name: 'posix',
@@ -56,6 +58,7 @@
                         input({name: 'cn' }).
                         input({name: 'description'}).
+                        input({name: 'sambagrouptype'}).
                         input({name: 'gidnumber' }))).

And then these the WebUI to ensure that you can both see the attribute in the group list, but also add it via the select widget added to the new/edit group dialog.

That should be it. Questions, comments, suggestions, correction and more… all are welcome!

LinuxCon 2011: Day 1

Today was the first day of LinuxCon North America 2011. I managed to received a free pass to the event via a contact at my place of employment which was in turn actually from Hewlett Packard. Thanks, JK and HP. Much appreciated.

I arrived shortly after 8AM, registered to receive my badge and t-shirt then milled around the vendor booths until the keynotes were ready to start. I watched the keynotes (Jim Zemlin, Linux Foundation and Jim  Whitehurts, Red Hat), went to every session I could and came back to the main ballroom for the panel discussion with Jon “Maddog” Hall, Eben Moglen and Dan Frye and the following interview of Linus Torvalds by Greg Kroah-Hartman to wrap things up for day 1. So far, so good.

The Keynotes

Jim Zemlin’s opening keynote “Imagining a World Without Linux” was decent. While he did take some inevitable potshots at Microsoft, the message was generally very positive and uplifting. I won’t go into details but basically Jim described a world without Linux as one that would be black & white as opposed to the colour filled world we know today (due to Linux). Jim is a smiley and positive person on stage, his style helped kick off LinuxCon 2011 with a good vibe.

Jim Whitehurst, CEO of Red Hat had a similar approach of sending positive vibes but focused on how the progress of Linux and Open Source has enabled businesses and business models. He said that Google wouldn’t exist (at least not in it’s current form) without Linux and basically implying the same about other major well know Linux-powered companies such as Amazon and Facebook. Jim struck me as a fairly modest fellow but he wasn’t shy about mentioning Red Hat’s penetration into Fortune 500 companies. Nor was he reserved about how Linux has powered, enabled, strongly driven by or directly benefitted various global forces that may or may not be angels (U.S. Navy, NSA, Russian Military, NYSE/Wall Street). While his examples spoke to the breadth of applications for and the wide reach of Linux, I couldn’t help but think about how the pervasiveness of Linux is not only helping drive great positive change int he world but may also be powering negative forces as well.

Overall both Jim’s did a good job and left me excited for the rest of LinuxCon to come.

First Day Sessions

I attended four sessions on day 1:

  1. Centralized User Administration with FreeIPA and sssd by Stephen Gallagher
  2. Watching Mad Men and Thinking About Open Source by Karen Copenhaver
  3. 20 Years – And More – of Kernel Development by Jon Cobert
  4. What to Expect from Linux Storage by James Bottomley

Centralized User Administration with FreeIPA and sssd

My first LinuxCon session was by Stephen Gallagher of Red Hat. As is clear by the title, it was about FreeIPA and sssd, two emerging Red Hat driven projects relating to centralized directory and authentication services. Stephen wasn’t the most natural speaker I’ve had the pleasure to watch and I suspect that presentations aren’t something he does on a regular basis but he clearly knew his material and he was able to field the post-presentation questions with ease. The presentation material was fairly spot on to what I expected. I should stop by the Red Hat booth and speak with Stephen tomorrow as there are a few FreeIPA/sssd related questions I have which I didn’t ask during the question period. Overall, I was satisfied.

Watching Mad Men and Thinking About Open Source

First of all, Karen is a more natural speaker than Stephen but I suppose that’s to be expected: She is legal counsel for the Linux Foundation. The material in this session while clear and understandable was maybe not quite as impactful as I had hoped. Karen had some very nice points and brought good historical reference to the table but it wasn’t really anything that I didn’t already think think about in my own internal dialog, for the most part.

Some key points that Karen made early which did resonate with me:

  • “It’s a privilege to work on something so important”, I believe she was quoting Linus Torvalds. This hits home for me as my work is only to enable the much more important and relevant work of others.
  • The observation that the open source community generally doesn’t have time for anything but the truth which is a nice ideal but perhaps isn’t necessarily reflective of the entire open source world so much as a few of the important luminaries.
  • Identify the things that you value and… well I missed that part. But I do think identifying the things you value is, well, valuable.

These are all straight forward things but to hear someone say them can be powerful. This session was good but it wasn’t quite as hard hitting as I thought it might be based on the title and description. It was no let down, though.

20 Year – And More – Of Linux Kernel Development

Ok, now we’re getting way out of my league. Jon Corbet is a high profile Linux kernel contributor and he knows what he is talking about. This man has confidence and ostensibly the knowledge to back it up. His overview of the last 20 years of Linux kernel development was excellent and spotted with just enough humour to keep the real developers cracking up and the rest of us only getting every second joke.

Jon’s timeline approach to describing the history of kernel development was excellent and enabled him to visually map releases, events and growth in a very simple and understandable way. He made an excellent observation regarding the pace (measure by lines of code) of Linux kernel development during the dot com bust not slowing down one bit despite industry turmoil and job loss and pointed out the correlation between important points in Linux kernel development time with other events that may not be obvious to every outsider (BitKeeper, Git, time between certain releases, Merge Window, etc.).

While this session was developer focused, it wasn’t so technical to be devoid of value for anyone else, in fact I think it really helped frame the history of Linux kernel development for me in a way that I had never experienced before. Way to go, Jon.

What To Expect From Linux Storage

I’m not sure why James’ talk was titled what it was because for the best of what I could tell, the majority of the talk was about what already is, not what to expect. That’s not to say it was devoid of important information regarding “what to expect” and maybe it was because James ran out of time and had to skip some slides but I did find the title interesting in that capacity none-the-less.

James is charismatic. He makes jokes, he wears a bow tie, he speaks with an attractive accent. He’s also clearly very knowledgable about his part of the Linux kernel: the Block layer.

Being a sysadmin, knowing more about the block layer and James’ perspective on storage was hugely beneficial. He has historical reference that I never will and deep knowledge of the kernel which I’ll never achieve. With that said, some of his opinions regarding specific technologies and methods, I personally already held myself! How is it that a Linux kernel rube such as myself could had gleaned the same opinions on specific technologies as one of the people  who understands these technologies the best of anyone? iSCSI was an example. I think it’s safe to say James thinks iSCSI is an abhorrent mess that simply tries to solve a problem in entirely the wrong way. I’m also not a big fan of iSCSI and his reasoning  resonated with me, despite my lack of in depth knowledge.

I could go on because I liked this session but I already feel like I’m burning myself out on this summary of day 1 and we haven’t even gotten to the panel discussion or Linus interview yet.

Panel Discussion

The panel discussion with Jon Hall, Eben Moglen and Dan Frye was fairly profound despite Eben using the platform for an interesting but strangely placed speech that appeared entirely scripted/written. That’s not to say I didn’t like his speech or that I don’t agree with him or his world views but the way he momentarily took over the panel with what was clearly a pre-planned speech during a panel discussion main-hall format was strange indeed.

Dan Frye struck me as level-headed and one of those business people whom can take the challenge of  balancing the need to run a profitable business with social awareness and decency and excel at it. I’ve never really doubted IBM’s commitment to Linux and I know their commitment is based on profitability but the way that Dan framed the reasons that he and his team knew Linux meant good business for IBM put a smile on my face.

Jon Hall’s experience in the computing industry is staggering and humbling, even for today’s big shots. What a dude. Level head, very articulated, sense of humour and a huge white beard. It’s hard not to love the guy after watching that panel discussion. Jon talked about his hopes for how Linux and the open source model will foster the next generation of great thinkers, movers and shakers and enable them to do great things. I liked that.

I’m not really sure what to say about Eben. I agreed with everything he said but he just wasn’t as loveable as Jon Hall. Must be because he’s a lawyer :D I suppose that slightly awkward speech about the troubled times that are looming (mounting patent threats and inevitable “10-20 billion” dollar war) could have been a factor as well. That said, he seemed positive despite the heavy and serious tone he used to describe the battles ahead.

On one hand, the panel discussion left me feeling good and uplifted but on the other hand I was left with a feeling of powerlessness. I’m not one of the next great thinkers, doers or talkers. What’s my place in the Linux and open source world, then? Everything that was discussed revolved around the greatest minds in open source and the huge impacts made by major players. I almost felt a little left out as a lowly sysadmin whom has to deploy at least some non-RMS blessed systems alongside the requisite Linux systems. What’s my role in all this?

Interview with Linus

I really don’t have much to say about this one. Linus is down to earth, but strong in his opinions. He admits when something is outside of his immediate expertise, as evidenced by his answers to many non-Linux kernel specific questions. He talks well and he would have preferred if the crowd did not give him a standing ovation at the end but I suppose you cannot make a room full of Linux geeks sit down when their proverbial leader is being applauded.

I liked a lot of what Linus talked about regarding the modern direction of Linux such as the version numbering changes, the idea that we should be looking backwards at how to improve existing subsystems and layers instead of always looking forward to new feature inclusions. I liked how he described the cross-pollination of various parts of Linux that exist when everyone from embedded systems to massively parallel SMP systems are made to use the exact same kernel instead of everyone having their own specialized forks.

Linus was clam and cool, just like Linux and I had a seriously good time at LinuxCon today. Rock on, LinuxCon!

Oracle Cold Call

I just received a cold call from Oracle moments ago. I’m actually a bit shocked to be honest.

Let’s describe my relationship with Oracle for a moment:

  • In seven years as a sysadmin, I’ve never had a business relationship with Oracle
  • I’ve never run an Oracle product in any of my shops
  • I’ve never directly or indirectly inquired about Oracle products with Oracle or their resellers
  • I’ve never once feigned interest in anything Oracle has done until the day they bought Sun Microsystems

So what was the cold call about? They wanted to sell me on Oracle Unbreakable Linux and Oracle VM. They were targeting our RedHat (well, CentOS) installations and wanted to get a foot in the door for their virtualization product (Xen) Thanks, but seriously… No thanks!

I’ve been approached by vendors before at trade shows or expos or even via existing reseller relationships but this out of the blue cold call is entirely new to me. I can ignore the fact that Oracle’s representative had less than stellar English skills. That’s not paramount, although it made for lengthy repetitions where it otherwise wouldn’t have been necessary. It’s that cold call tactic that has me fired up! Are they seriously trolling my employer’s public directory in which my name and number is listed to see if anything bites?

Overall, I’m really turned off by Oracle’s slimy cold call tactics. Please don’t call again, Oracle. Your rebranded-and-slightly-modified RHEL and Xen clones be damned!