Product SiteDocumentation Site

10.4. Configuring Kerberized CIFS

While FreeIPA and Samba can be integrated together, that is not done automatically. The FreeIPA server needs to be configured to create and manage Samba groups, and then the Fedora machine can be configured to use a Kerberos-aware CIFS client.

10.4.1. Setting up Samba Groups in FreeIPA

FreeIPA is not configured to create Samba groups by default. It is possible to change the FreeIPA configuration so that groups are automatically configured as Samba groups that work with the CIFS server.


FreeIPA works with a Samba file server, not a Samba domain controller.
  1. Obtain the Samba Windows security ID (SID) for the Samba domain. This ID is used as part of the FreeIPA group configuration.
    [root@ipaserver ~]# net getlocalsid
    SID for EXAMPLE domain  is: S-1-2-3-4
  2. Obtain a Kerberos ticket before editing the FreeIPA configuration.
    [root@server ~]# kinit admin
  3. Add two Samba-related object classes, sambaSAMAccount for users and sambaGroupMapping for groups, to the FreeIPA configuration entry.


    The object class list is the complete list of object classes for the user and group entries. Be sure to include all existing object classes in the list along with the new attribute, or new entries will be created with the wrong object classes and will not work in the FreeIPA domain.
    Add sambaSAMAccount for users:
    $ ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount, krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount
    Add sambaGroupMapping for groups:
    $ ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject,sambaGroupMapping
  4. Unique Samba IDs must be created for groups as they are added, with the Samba file server SID used as a prefix to identify the CIFS domain. This is configured by creating a Distributed Numeric Attribute Plug-in instance in the internal 389 Directory Server instance for the FreeIPA server.
    The DNA Plug-in configuration includes:
    • The attribute to create on entries (dnatype).
    • The entries to add the attribute to, based on an LDAP filter (dnafilter).
    • The Samba file server SID to prepend to the attribute numbers (dnaprefix); this include a hyphen on the end of the number.
    • The directory suffix to check for matching entries (dnascope); since this includes both users and groups, it should be the root suffix.
    • The number to use to begin counting Samba IDs (dnanextvalue).
    [root@server ~]# ldapadd -x -D "cn=Directory Manager" -w secret 
    dn: cn=SambaGroupSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
    objectClass: top
    objectClass: extensibleObject
    cn: SambaSid
    dnatype: sambaSID
    dnaprefix: S-1-2-3-4-
    dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
    dnascope: dc=example,dc=com
    dnanextvalue: 1
    The DNA Plug-in is described in the 389 Directory Server 9.0 Administrator's Guide.
  5. Every Samba groups requires a sambaGroupType attribute. Since this value is always 4, this can be defined automatically by using a class of service (CoS) to supply the value. A CoS uses a template entry with a defined value and then automatically applies that value to all entries within the scope of the template.
    1. Create the CoS definition entry in the groups subtree (cn=groups,cn=accounts,dc=example,dc=com), so that all the group entries are updated with the sambaGroupType attribute.
      [root@ipaserver ~]# ldapadd -x -D "cn=directory manager" -w secret 
      dn: cn=SambaCoS,cn=groups,cn=accounts,dc=example,dc=com
      objectclass: top
      objectclass: cosSuperDefinition
      objectclass: cosPointerDefinition
      cosTemplateDn: cn=SambaCoS,cn=ipaConfig,dc=etc,dc=example,dc=com
      cosAttribute: sambaGrouptType
    2. Create the CoS template entry, which defines the sambaGroupType attribute. This is done outside the groups subtree, such as the cn=ipaConfig subtree.
      [root@ipaserver ~]# ldapadd -x -D "cn=directory manager" -w secret 
      dn: cn=SambaCoS,cn=ipaConfig,dc=etc,dc=example,dc=com
      changetype: add
      objectclass: top
      objectclass: extensibleObject
      objectclass: cosTemplate
      sambaGroupType: 4
    Classes of service are described in the 389 Directory Server 9.0 Administrator's Guide.

10.4.2. Configuring the CIFS Client

mount.cifs is described in detail in its manpage.
  1. Obtain a Kerberos ticket before running FreeIPA tools.
    [jsmith@server ~]$ kinit admin
  2. If the CIFS client is not enrolled as a client in the FreeIPA domain, then set up the required host entries, as described in Section 6.2, “Adding Host Entries”.
  3. Generate an CIFS service keytab for the CIFS client using the ipa-getkeytab command, and save the keys directly to the host keytab. For example:
    [jsmith@server ~]$ ipa-getkeytab -k /etc/krb5.keytab -p host/
  4. If the CIFS server and client are in different DNS domains, then configure the CIFS domain. The idmapd.conf must be the same on the CIFS client as it is on the CIFS server.
    [root@cifs-client ~]# vim /etc/idmapd.conf
    Domain =
  5. Start the GSS daemon.
    [root@cifs-client ~]# service rpcgssd start
    [root@cifs-client ~]# service rpcbind start
    [root@cifs-client ~]# service rpcidmapd start
  6. Edit the fstab file.
    [root@cifs-client ~]# vim /etc/fstab
    // /mnt/this cifs sec=krb5i,rw,proto=tcp,port=2049
  7. Mount the directory.
    [root@cifs-client ~]# mount -t cifs