Benjamin Vogt wrote:
> I have to agree with Roland. Linux is lacking a complete solution that acts 
> as a "central authentication and identity management platform". I would like 
> to be able to use Linux as the IT backbone without having to resort to 
> Microsoft. The reality is that Windows clients are too widespread in most 
> enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. 
> As for reimplementing AD, is there any reason we could not use Samba 4 as a 
> backend? There are other interesting projects that build on it, such as 
> openchange which could be a viable Exchange replacement.

We return to this discussion once in a while...
Samba 4 is intended to be a duplicate of AD this is how it is designed
and implemented. It is not nice to UNIX/Linux in the same way as AD is
not. This was one of the reasons we decided not to use Samba 4 as our
back end though we did a lot of research and analysis. You can search
archives from 2007/2008 for more details. What you are asking for is a
very appealing goal but unfortunately not something that can be easily
accomplished. Serving Windows clients by a non Windows server is a
challenge. Samba 4 tries to do it and still struggles after many years
of development. We definitely would look at Samba 4 again when we see it
sufficiently ready but this is not a priority for 2011.


> Regards,
> - Ben
> -----Original Message-----
> From: 
> [] On Behalf Of Roland Kaeser
> Sent: Monday, January 03, 2011 19:38
> To:;
> Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing 
> FreeIPA v2 Server Beta 1 Release
> Strange, even in the v2 outline ( is 
> excplicitly written that ad integration and samba 3 support will be one of 
> the features of v2. If not its completly unusable to me, and verisimilar also 
> to the most other potential users. Its sad, but in the most cases, sysadmins 
> have to deal with windows machines in their network. So at the moment they 
> have only the choice between a AD and a samba domain (with LDAP). FreeIPA 
> whould have so much potential if it acts as a central authentication and 
> identity management plaform which connects all the diffrent network systems 
> together Specially in a rhev environment with vdi infrastructures could it be 
> the central point for authentification, authorization and auditing. But if 
> the current intention will not change, freeipa will become just another pice 
> of unusable software which will die soon. Its very sad.
> Regards
> Roland
> ----- Ursprüngliche Mail -----
> Von: "Dmitri Pal" <>
> An: "Roland Käser" <>
> CC:,
> Gesendet: Montag, 3. Januar 2011 14:56:03
> Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server 
> Beta 1 Release
> Roland Kaeser wrote:
>> Hello
>> Great, I just tested it on F-13 and it runs fine so far. 
>> But I'm missing a very important feature (to me) which is: Samba Support.
>> Are there any plans to build samba support into freeipa 2? It would be 
>> very great to have on single authentication authority without the need of 
>> installing active directory.
>> Regards
>> Roland Kaeser
> There are no plans to integrate Samba in a way you describe. Our next goal on 
> this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows 
> clients natively is not something we have in mind.
> The intent however to pretend that IPA is yet another AD domain. If your main 
> domain is going to be Samba 4 instead of AD it might work without installing 
> AD. But we do not plan to carry install and configure Samba 4 ourselves at 
> least in the near future (read couple years).
> Thank you
> Dmitri
>> ----- Ursprüngliche Mail -----
>> Von: "Dmitri Pal" <>
>> An: "freeipa-devel" <>, "." 
>> <>,
>> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58
>> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 
>> Release
>> To all freeipa-interest, freeipa-users and freeipa-devel list members,
>> The FreeIPA project team is pleased to announce the availability of 
>> the Beta 1 release of freeIPA 2.0 server [1].
>> - Binaries are available for F-13 and F-14.
>> - With this beta freeIPA is feature complete.
>> - Please do not hesitate to share feedback, criticism or bugs with us 
>> on our mailing list:
>> Main Highlights of the Beta
>> - This beta is the first attempt to show all planned capabilities of 
>> the upcoming release.
>> - For the first time the new UI is mostly operational and can be used 
>> to perform management of the system.
>> - Some areas are still very rough and we will appreciate your help 
>> with those.
>> Focus of the Beta Testing
>> - Please take a moment and look at the new Web UI. Any feedback about 
>> the general approaches, work flows, and usability is appreciated. It 
>> is still very rough but one can hopefully get a good understanding of 
>> how we plan the final UI to function and look like.
>> - Replication management was significantly improved. Testing of multi 
>> replica configurations should be easier.
>> - We are looking for a feedback about the DNS integration and 
>> networking issues you find in your environment configuring and using 
>> IPA with the embedded DNS enabled.
>> Significant Changes Since Alpha 5
>> - FreeIPA has changed its license to GPLv3+
>> - Having IPA manage the reverse zone is optional.
>> - The access control subsystem was re-written to be more understandable.
>> For details see [2]
>> - Support for SUDO rules
>> - There is now a distinction between replicas and their replication 
>> agreements in the ipa-replica-manage command. It is now much easier to 
>> manage the replication topology.
>> - Renaming entries is easier with the --rename option of the mod commands.
>> - Fix special character handling in passwords, ensure that passwords 
>> are not logged.
>> - Certificates can be saved as PEM files in service-show and host-show 
>> commands.
>> - All IPA services are now started/stopped using the ipactl command.
>> This gives us better control over the start/stop order during 
>> reboot/shutdown.
>> - Set up ntpd first so the time is sane.
>> - Better multi-valued value handle with --setattr and --addattr.
>> - Add support for both RFC2307 and RFC2307bis to migration.
>> - UID ranges were reduced by default from 1M to 200k.
>> - Add ability to add/remove DNS records when adding/removing a host entry.
>> - A number of i18n issues have been addressed.
>> - Updated a lot of man pages.
>> What is not Complete
>> - We are still using older version of the Dogtag. New version of the 
>> Dogtag Certificate System will be based on tomcat6 and is forthcoming.
>> - We plan to take advantage of Kerberos 1.9 that was released today 
>> but we have not finished the integration effort yet.
>> Known Issues
>> - IPV6 works in the installer but not the server itself
>> - Make sure you machine can properly resolve its name before 
>> installing the server. Edit /etc/hosts to remove host name from the 
>> localhost and
>> localhost6 lines if needed.
>> - The UI is still rough in places<br>Use the following query [3] to 
>> see the tickets currently open against UI.
>> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for 
>> the time being run:
>>   # ln -s /usr/share/java/xalan-j2-serializer.jar
>> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar
>> - Instead of Dogtag on F14 you can also try the self-signed CA which 
>> is similar to the CA that was provided in IPA v1. This was designed 
>> for testing and development and not recommended for deployment.
>> - Make sure you enable updates-testing repository on your fedora machine.
>> Thank you,
>> FreeIPA development team
>> [1]
>> [2]
>> [3]
>> _______________________________________________
>> Freeipa-interest mailing list
> --
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> -------------------------------
> Looking to carve out IT costs?

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to