Sorry forgot last note:
>From my point of view, for the moment its not that much which is required. It 
>would only be supporting the samba ldap attributes in the ldap server and 
>extension of the management framework to create samba domains, users, groups 
>and machine accounts until samba 4 is stable (already hope for end of this 
>year). As far as I understand the problematics in windows kerberos and samba, 
>it should possible to connect the windows machines directly to the kerberos 
>server but have the windows related informations such as sid's etc. also 
>available though samba so login scripts and network wide security and single 
>sign on should be possible.

Roland


----- Ursprüngliche Mail -----
Von: "Dmitri Pal" <d...@redhat.com>
An: "Benjamin Vogt" <benjamin.v...@serv24.biz>
CC: "Roland Kaeser" <roland.kae...@intersoft-networks.ch>, 
freeipa-de...@redhat.com, freeipa-us...@redhat.com
Gesendet: Montag, 3. Januar 2011 22:42:59
Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing 
FreeIPA v2 Server Beta 1 Release

Benjamin Vogt wrote:
> I have to agree with Roland. Linux is lacking a complete solution that acts 
> as a "central authentication and identity management platform". I would like 
> to be able to use Linux as the IT backbone without having to resort to 
> Microsoft. The reality is that Windows clients are too widespread in most 
> enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. 
> As for reimplementing AD, is there any reason we could not use Samba 4 as a 
> backend? There are other interesting projects that build on it, such as 
> openchange which could be a viable Exchange replacement.
>   

We return to this discussion once in a while...
Samba 4 is intended to be a duplicate of AD this is how it is designed
and implemented. It is not nice to UNIX/Linux in the same way as AD is
not. This was one of the reasons we decided not to use Samba 4 as our
back end though we did a lot of research and analysis. You can search
archives from 2007/2008 for more details. What you are asking for is a
very appealing goal but unfortunately not something that can be easily
accomplished. Serving Windows clients by a non Windows server is a
challenge. Samba 4 tries to do it and still struggles after many years
of development. We definitely would look at Samba 4 again when we see it
sufficiently ready but this is not a priority for 2011.

Thanks
Dmitri      


> Regards,
> - Ben
>
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser
> Sent: Monday, January 03, 2011 19:38
> To: freeipa-de...@redhat.com; freeipa-us...@redhat.com
> Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing 
> FreeIPA v2 Server Beta 1 Release
>
> Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is 
> excplicitly written that ad integration and samba 3 support will be one of 
> the features of v2. If not its completly unusable to me, and verisimilar also 
> to the most other potential users. Its sad, but in the most cases, sysadmins 
> have to deal with windows machines in their network. So at the moment they 
> have only the choice between a AD and a samba domain (with LDAP). FreeIPA 
> whould have so much potential if it acts as a central authentication and 
> identity management plaform which connects all the diffrent network systems 
> together Specially in a rhev environment with vdi infrastructures could it be 
> the central point for authentification, authorization and auditing. But if 
> the current intention will not change, freeipa will become just another pice 
> of unusable software which will die soon. Its very sad.
>
> Regards
>
> Roland
>
>
> ----- Ursprüngliche Mail -----
> Von: "Dmitri Pal" <d...@redhat.com>
> An: "Roland Käser" <roland.kae...@intersoft-networks.ch>
> CC: freeipa-de...@redhat.com, freeipa-us...@redhat.com
> Gesendet: Montag, 3. Januar 2011 14:56:03
> Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server 
> Beta 1 Release
>
> Roland Kaeser wrote:
>   
>> Hello
>>
>> Great, I just tested it on F-13 and it runs fine so far. 
>> But I'm missing a very important feature (to me) which is: Samba Support.
>>
>> Are there any plans to build samba support into freeipa 2? It would be 
>> very great to have on single authentication authority without the need of 
>> installing active directory.
>>
>> Regards
>>
>> Roland Kaeser
>>
>>   
>>     
>
> There are no plans to integrate Samba in a way you describe. Our next goal on 
> this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows 
> clients natively is not something we have in mind.
> The intent however to pretend that IPA is yet another AD domain. If your main 
> domain is going to be Samba 4 instead of AD it might work without installing 
> AD. But we do not plan to carry install and configure Samba 4 ourselves at 
> least in the near future (read couple years).
>
> Thank you
> Dmitri
>
>
>
>
>   
>> ----- Ursprüngliche Mail -----
>> Von: "Dmitri Pal" <d...@redhat.com>
>> An: "freeipa-devel" <freeipa-de...@redhat.com>, "." 
>> <freeipa-us...@redhat.com>, freeipa-interest@redhat.com
>> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58
>> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 
>> Release
>>
>> To all freeipa-interest, freeipa-users and freeipa-devel list members,
>>
>> The FreeIPA project team is pleased to announce the availability of 
>> the Beta 1 release of freeIPA 2.0 server [1].
>> - Binaries are available for F-13 and F-14.
>> - With this beta freeIPA is feature complete.
>> - Please do not hesitate to share feedback, criticism or bugs with us 
>> on our mailing list: freeipa-us...@redhat.com
>>
>> Main Highlights of the Beta
>> - This beta is the first attempt to show all planned capabilities of 
>> the upcoming release.
>> - For the first time the new UI is mostly operational and can be used 
>> to perform management of the system.
>> - Some areas are still very rough and we will appreciate your help 
>> with those.
>>
>> Focus of the Beta Testing
>> - Please take a moment and look at the new Web UI. Any feedback about 
>> the general approaches, work flows, and usability is appreciated. It 
>> is still very rough but one can hopefully get a good understanding of 
>> how we plan the final UI to function and look like.
>> - Replication management was significantly improved. Testing of multi 
>> replica configurations should be easier.
>> - We are looking for a feedback about the DNS integration and 
>> networking issues you find in your environment configuring and using 
>> IPA with the embedded DNS enabled.
>>
>> Significant Changes Since Alpha 5
>> - FreeIPA has changed its license to GPLv3+
>> - Having IPA manage the reverse zone is optional.
>> - The access control subsystem was re-written to be more understandable.
>> For details see [2]
>> - Support for SUDO rules
>> - There is now a distinction between replicas and their replication 
>> agreements in the ipa-replica-manage command. It is now much easier to 
>> manage the replication topology.
>> - Renaming entries is easier with the --rename option of the mod commands.
>> - Fix special character handling in passwords, ensure that passwords 
>> are not logged.
>> - Certificates can be saved as PEM files in service-show and host-show 
>> commands.
>> - All IPA services are now started/stopped using the ipactl command.
>> This gives us better control over the start/stop order during 
>> reboot/shutdown.
>> - Set up ntpd first so the time is sane.
>> - Better multi-valued value handle with --setattr and --addattr.
>> - Add support for both RFC2307 and RFC2307bis to migration.
>> - UID ranges were reduced by default from 1M to 200k.
>> - Add ability to add/remove DNS records when adding/removing a host entry.
>> - A number of i18n issues have been addressed.
>> - Updated a lot of man pages.
>>
>> What is not Complete
>> - We are still using older version of the Dogtag. New version of the 
>> Dogtag Certificate System will be based on tomcat6 and is forthcoming.
>> - We plan to take advantage of Kerberos 1.9 that was released today 
>> but we have not finished the integration effort yet.
>>
>> Known Issues
>> - IPV6 works in the installer but not the server itself
>> - Make sure you machine can properly resolve its name before 
>> installing the server. Edit /etc/hosts to remove host name from the 
>> localhost and
>> localhost6 lines if needed.
>> - The UI is still rough in places<br>Use the following query [3] to 
>> see the tickets currently open against UI.
>> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for 
>> the time being run:
>>   # ln -s /usr/share/java/xalan-j2-serializer.jar
>> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar
>> - Instead of Dogtag on F14 you can also try the self-signed CA which 
>> is similar to the CA that was provided in IPA v1. This was designed 
>> for testing and development and not recommended for deployment.
>> - Make sure you enable updates-testing repository on your fedora machine.
>>
>> Thank you,
>> FreeIPA development team
>>
>> [1] http://www.freeipa.org/page/Downloads
>> [2] http://freeipa.org/page/Permissions
>> [3] https://fedorahosted.org/freeipa/report/12
>>
>> _______________________________________________
>> Freeipa-interest mailing list
>> Freeipa-interest@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-interest
>>
>>   
>>     
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


-- 

InterSoft Networks 
Roland Käser, Systems Engineer OpenSource 
Fulachstr. 197, 8200 Schaffhausen 
Tel: +41 77 415 79 11 
------------------------------------------------------------------------------------------------------------------------------
 
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 
------------------------------------------------------------------------------------------------------------------------------
 

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to