Sorry forgot last note:
>From my point of view, for the moment its not that much which is required. It
>would only be supporting the samba ldap attributes in the ldap server and
>extension of the management framework to create samba domains, users, groups
>and machine accounts until samba 4 is stable (already hope for end of this
>year). As far as I understand the problematics in windows kerberos and samba,
>it should possible to connect the windows machines directly to the kerberos
>server but have the windows related informations such as sid's etc. also
>available though samba so login scripts and network wide security and single
>sign on should be possible.
----- Ursprüngliche Mail -----
Von: "Dmitri Pal" <d...@redhat.com>
An: "Benjamin Vogt" <benjamin.v...@serv24.biz>
CC: "Roland Kaeser" <roland.kae...@intersoft-networks.ch>,
Gesendet: Montag, 3. Januar 2011 22:42:59
Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing
FreeIPA v2 Server Beta 1 Release
Benjamin Vogt wrote:
> I have to agree with Roland. Linux is lacking a complete solution that acts
> as a "central authentication and identity management platform". I would like
> to be able to use Linux as the IT backbone without having to resort to
> Microsoft. The reality is that Windows clients are too widespread in most
> enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2.
> As for reimplementing AD, is there any reason we could not use Samba 4 as a
> backend? There are other interesting projects that build on it, such as
> openchange which could be a viable Exchange replacement.
We return to this discussion once in a while...
Samba 4 is intended to be a duplicate of AD this is how it is designed
and implemented. It is not nice to UNIX/Linux in the same way as AD is
not. This was one of the reasons we decided not to use Samba 4 as our
back end though we did a lot of research and analysis. You can search
archives from 2007/2008 for more details. What you are asking for is a
very appealing goal but unfortunately not something that can be easily
accomplished. Serving Windows clients by a non Windows server is a
challenge. Samba 4 tries to do it and still struggles after many years
of development. We definitely would look at Samba 4 again when we see it
sufficiently ready but this is not a priority for 2011.
> - Ben
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser
> Sent: Monday, January 03, 2011 19:38
> To: freeipa-de...@redhat.com; freeipa-us...@redhat.com
> Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing
> FreeIPA v2 Server Beta 1 Release
> Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is
> excplicitly written that ad integration and samba 3 support will be one of
> the features of v2. If not its completly unusable to me, and verisimilar also
> to the most other potential users. Its sad, but in the most cases, sysadmins
> have to deal with windows machines in their network. So at the moment they
> have only the choice between a AD and a samba domain (with LDAP). FreeIPA
> whould have so much potential if it acts as a central authentication and
> identity management plaform which connects all the diffrent network systems
> together Specially in a rhev environment with vdi infrastructures could it be
> the central point for authentification, authorization and auditing. But if
> the current intention will not change, freeipa will become just another pice
> of unusable software which will die soon. Its very sad.
> ----- Ursprüngliche Mail -----
> Von: "Dmitri Pal" <d...@redhat.com>
> An: "Roland Käser" <roland.kae...@intersoft-networks.ch>
> CC: freeipa-de...@redhat.com, freeipa-us...@redhat.com
> Gesendet: Montag, 3. Januar 2011 14:56:03
> Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server
> Beta 1 Release
> Roland Kaeser wrote:
>> Great, I just tested it on F-13 and it runs fine so far.
>> But I'm missing a very important feature (to me) which is: Samba Support.
>> Are there any plans to build samba support into freeipa 2? It would be
>> very great to have on single authentication authority without the need of
>> installing active directory.
>> Roland Kaeser
> There are no plans to integrate Samba in a way you describe. Our next goal on
> this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows
> clients natively is not something we have in mind.
> The intent however to pretend that IPA is yet another AD domain. If your main
> domain is going to be Samba 4 instead of AD it might work without installing
> AD. But we do not plan to carry install and configure Samba 4 ourselves at
> least in the near future (read couple years).
> Thank you
>> ----- Ursprüngliche Mail -----
>> Von: "Dmitri Pal" <d...@redhat.com>
>> An: "freeipa-devel" <freeipa-de...@redhat.com>, "."
>> <freeipa-us...@redhat.com>, firstname.lastname@example.org
>> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58
>> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1
>> To all freeipa-interest, freeipa-users and freeipa-devel list members,
>> The FreeIPA project team is pleased to announce the availability of
>> the Beta 1 release of freeIPA 2.0 server .
>> - Binaries are available for F-13 and F-14.
>> - With this beta freeIPA is feature complete.
>> - Please do not hesitate to share feedback, criticism or bugs with us
>> on our mailing list: freeipa-us...@redhat.com
>> Main Highlights of the Beta
>> - This beta is the first attempt to show all planned capabilities of
>> the upcoming release.
>> - For the first time the new UI is mostly operational and can be used
>> to perform management of the system.
>> - Some areas are still very rough and we will appreciate your help
>> with those.
>> Focus of the Beta Testing
>> - Please take a moment and look at the new Web UI. Any feedback about
>> the general approaches, work flows, and usability is appreciated. It
>> is still very rough but one can hopefully get a good understanding of
>> how we plan the final UI to function and look like.
>> - Replication management was significantly improved. Testing of multi
>> replica configurations should be easier.
>> - We are looking for a feedback about the DNS integration and
>> networking issues you find in your environment configuring and using
>> IPA with the embedded DNS enabled.
>> Significant Changes Since Alpha 5
>> - FreeIPA has changed its license to GPLv3+
>> - Having IPA manage the reverse zone is optional.
>> - The access control subsystem was re-written to be more understandable.
>> For details see 
>> - Support for SUDO rules
>> - There is now a distinction between replicas and their replication
>> agreements in the ipa-replica-manage command. It is now much easier to
>> manage the replication topology.
>> - Renaming entries is easier with the --rename option of the mod commands.
>> - Fix special character handling in passwords, ensure that passwords
>> are not logged.
>> - Certificates can be saved as PEM files in service-show and host-show
>> - All IPA services are now started/stopped using the ipactl command.
>> This gives us better control over the start/stop order during
>> - Set up ntpd first so the time is sane.
>> - Better multi-valued value handle with --setattr and --addattr.
>> - Add support for both RFC2307 and RFC2307bis to migration.
>> - UID ranges were reduced by default from 1M to 200k.
>> - Add ability to add/remove DNS records when adding/removing a host entry.
>> - A number of i18n issues have been addressed.
>> - Updated a lot of man pages.
>> What is not Complete
>> - We are still using older version of the Dogtag. New version of the
>> Dogtag Certificate System will be based on tomcat6 and is forthcoming.
>> - We plan to take advantage of Kerberos 1.9 that was released today
>> but we have not finished the integration effort yet.
>> Known Issues
>> - IPV6 works in the installer but not the server itself
>> - Make sure you machine can properly resolve its name before
>> installing the server. Edit /etc/hosts to remove host name from the
>> localhost and
>> localhost6 lines if needed.
>> - The UI is still rough in places<br>Use the following query  to
>> see the tickets currently open against UI.
>> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for
>> the time being run:
>> # ln -s /usr/share/java/xalan-j2-serializer.jar
>> - Instead of Dogtag on F14 you can also try the self-signed CA which
>> is similar to the CA that was provided in IPA v1. This was designed
>> for testing and development and not recommended for deployment.
>> - Make sure you enable updates-testing repository on your fedora machine.
>> Thank you,
>> FreeIPA development team
>>  http://www.freeipa.org/page/Downloads
>>  http://freeipa.org/page/Permissions
>>  https://fedorahosted.org/freeipa/report/12
>> Freeipa-interest mailing list
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> Looking to carve out IT costs?
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Roland Käser, Systems Engineer OpenSource
Fulachstr. 197, 8200 Schaffhausen
Tel: +41 77 415 79 11
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben,
werden am Ende keines von beiden haben - und verdienen es auch nicht.
Freeipa-interest mailing list