Roland Kaeser wrote:
> Strange, even in the v2 outline ( is 
> excplicitly written that ad integration and samba 3 support will be one of 
> the features of v2. 
I guess there is some misinterpretation. Samba 3 does not provide a way
to integrate contemporary Windows clients. The Samba 3 integration
mentioned in the outline is the integration of Samba 3 as a CIFS server.

> If not its completly unusable to me, and verisimilar also to the most other 
> potential users. 

It is assumed that most of the current users currently have AD in their
environment anyways. We are not putting a goal of taking over the world
and replacing AD altogether. Rather we plan to inter operate with it.

> Its sad, but in the most cases, sysadmins have to deal with windows machines 
> in their network. So at the moment they have only the choice between a AD and 
> a samba domain (with LDAP).

Samba 4 is the alternative to AD.

>  FreeIPA whould have so much potential if it acts as a central authentication 
> and identity management plaform which connects all the diffrent network 
> systems together
It will connect by allowing cross kerberos trust with AD/Samba 4 but its
goal is not to replace AD as a primary identity server for Windows
clients. It is just not possible to do other than re-implement AD which
Samba 4 already does. So if you want to move away from AD you might take
advantage of Samba 4 as a replacement for your AD and using cross
kerberos trusts allow SSO with IPA environment. At some point we might
make this integration more automatic but this is not on the road map for

>  Specially in a rhev environment with vdi infrastructures could it be the 
> central point for authentification, authorization and auditing. 

Absolutely! RHEV environment is something we definitely have in mind and
the cross kerberos trust solution we plan for v3 should address this use
case. It is the question of how complete will be the  implementation of
the trusts. Depending on time we might go for the higher priority use
cases  (IPA is a resource domain ) than the full trust required for VDI
to work the way you envision. But still VDI is a significant use case we
have in mind.

> But if the current intention will not change, freeipa will become just 
> another pice of unusable software which will die soon. Its very sad.
The intention is to be realistic and not require drastic changes to
existing environments where AD is dominating.

> Regards
> Roland
> ----- Ursprüngliche Mail -----
> Von: "Dmitri Pal" <>
> An: "Roland Käser" <>
> CC:,
> Gesendet: Montag, 3. Januar 2011 14:56:03
> Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server 
> Beta 1 Release
> Roland Kaeser wrote:
>> Hello
>> Great, I just tested it on F-13 and it runs fine so far. 
>> But I'm missing a very important feature (to me) which is: Samba Support.
>> Are there any plans to build samba support into freeipa 2? It would be very 
>> great to have on single 
>> authentication authority without the need of installing active directory.
>> Regards
>> Roland Kaeser
> There are no plans to integrate Samba in a way you describe. Our next
> goal on this path is to allow cross Kerberos trusts (IPA v3) but
> supporting Windows clients natively is not something we have in mind.
> The intent however to pretend that IPA is yet another AD domain. If your
> main domain is going to be Samba 4 instead of AD it might work without
> installing AD. But we do not plan to carry install and configure Samba 4
> ourselves at least in the near future (read couple years).
> Thank you
> Dmitri
>> ----- Ursprüngliche Mail -----
>> Von: "Dmitri Pal" <>
>> An: "freeipa-devel" <>, "." 
>> <>,
>> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58
>> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
>> To all freeipa-interest, freeipa-users and freeipa-devel list members,
>> The FreeIPA project team is pleased to announce the availability of the
>> Beta 1 release of freeIPA 2.0 server [1].
>> - Binaries are available for F-13 and F-14.
>> - With this beta freeIPA is feature complete.
>> - Please do not hesitate to share feedback, criticism or bugs with us on
>> our mailing list:
>> Main Highlights of the Beta
>> - This beta is the first attempt to show all planned capabilities of the
>> upcoming release.
>> - For the first time the new UI is mostly operational and can be used to
>> perform management of the system.
>> - Some areas are still very rough and we will appreciate your help with
>> those.
>> Focus of the Beta Testing
>> - Please take a moment and look at the new Web UI. Any feedback about
>> the general approaches, work flows, and usability is appreciated. It is
>> still very rough but one can hopefully get a good understanding of how
>> we plan the final UI to function and look like.
>> - Replication management was significantly improved. Testing of multi
>> replica configurations should be easier.
>> - We are looking for a feedback about the DNS integration and networking
>> issues you find in your environment configuring and using IPA with the
>> embedded DNS enabled.
>> Significant Changes Since Alpha 5
>> - FreeIPA has changed its license to GPLv3+
>> - Having IPA manage the reverse zone is optional.
>> - The access control subsystem was re-written to be more understandable.
>> For details see [2]
>> - Support for SUDO rules
>> - There is now a distinction between replicas and their replication
>> agreements in the ipa-replica-manage command. It is now much easier to
>> manage the replication topology.
>> - Renaming entries is easier with the --rename option of the mod commands.
>> - Fix special character handling in passwords, ensure that passwords are
>> not logged.
>> - Certificates can be saved as PEM files in service-show and host-show
>> commands.
>> - All IPA services are now started/stopped using the ipactl command.
>> This gives us better control over the start/stop order during
>> reboot/shutdown.
>> - Set up ntpd first so the time is sane.
>> - Better multi-valued value handle with --setattr and --addattr.
>> - Add support for both RFC2307 and RFC2307bis to migration.
>> - UID ranges were reduced by default from 1M to 200k.
>> - Add ability to add/remove DNS records when adding/removing a host entry.
>> - A number of i18n issues have been addressed.
>> - Updated a lot of man pages.
>> What is not Complete
>> - We are still using older version of the Dogtag. New version of the
>> Dogtag Certificate System will be based on tomcat6 and is forthcoming.
>> - We plan to take advantage of Kerberos 1.9 that was released today but
>> we have not finished the integration effort yet.
>> Known Issues
>> - IPV6 works in the installer but not the server itself
>> - Make sure you machine can properly resolve its name before installing
>> the server. Edit /etc/hosts to remove host name from the localhost and
>> localhost6 lines if needed.
>> - The UI is still rough in places<br>Use the following query [3] to see
>> the tickets currently open against UI.
>> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for
>> the time being run:
>>   # ln -s /usr/share/java/xalan-j2-serializer.jar
>> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar
>> - Instead of Dogtag on F14 you can also try the self-signed CA which is
>> similar to the CA that was provided in IPA v1. This was designed for
>> testing and development and not recommended for deployment.
>> - Make sure you enable updates-testing repository on your fedora machine.
>> Thank you,
>> FreeIPA development team
>> [1]
>> [2]
>> [3]
>> _______________________________________________
>> Freeipa-interest mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to