Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts > as a "central authentication and identity management platform". I would like > to be able to use Linux as the IT backbone without having to resort to > Microsoft. The reality is that Windows clients are too widespread in most > enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. > As for reimplementing AD, is there any reason we could not use Samba 4 as a > backend? There are other interesting projects that build on it, such as > openchange which could be a viable Exchange replacement. >
We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-de...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing > FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is > excplicitly written that ad integration and samba 3 support will be one of > the features of v2. If not its completly unusable to me, and verisimilar also > to the most other potential users. Its sad, but in the most cases, sysadmins > have to deal with windows machines in their network. So at the moment they > have only the choice between a AD and a samba domain (with LDAP). FreeIPA > whould have so much potential if it acts as a central authentication and > identity management plaform which connects all the diffrent network systems > together Specially in a rhev environment with vdi infrastructures could it be > the central point for authentification, authorization and auditing. But if > the current intention will not change, freeipa will become just another pice > of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Ursprüngliche Mail ----- > Von: "Dmitri Pal" <d...@redhat.com> > An: "Roland Käser" <roland.kae...@intersoft-networks.ch> > CC: freeipa-de...@redhat.com, freeipa-users@redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server > Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of >> installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on > this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows > clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main > domain is going to be Samba 4 instead of AD it might work without installing > AD. But we do not plan to carry install and configure Samba 4 ourselves at > least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Ursprüngliche Mail ----- >> Von: "Dmitri Pal" <d...@redhat.com> >> An: "freeipa-devel" <freeipa-de...@redhat.com>, "." >> <freeipa-users@redhat.com>, freeipa-inter...@redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: freeipa-users@redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see [2] >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places<br>Use the following query [3] to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >> [1] http://www.freeipa.org/page/Downloads >> [2] http://freeipa.org/page/Permissions >> [3] https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> freeipa-inter...@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
