>We return to this discussion once in a while... >.... >Samba 4 tries to do it and still struggles after many years >of development. We definitely would look at Samba 4 again when we see it >Sufficiently ready but this is not a priority for 2011.
Maybe this is the reason why freeipa has that less users and nearly no echo in the linux community. >Samba 4 is intended to be a duplicate of AD this is how it is designed >and implemented. The problem here is that samba 4 is still alpha. >I would like to be able to use Linux as the IT backbone without having to >resort to Microsoft. This also our most implemented scenario. Only in last year we migrated a half a dozend companies away from microsoft and AD (on the server side). This year a lot of companies are already planned for migration. Specially with the knowledge in mind that (based on the change of microsofts licensing model for hosters) around 1000 companies only in switzerland will switch their abacus (www.abacus.ch, large erp for switzerland) platform to linux so its REALLY, REALLY (I cannot write how much I would like to accentuate this) important to have a network wide authentication and identity management software to build up large linux server environments with windows frontents. So, having windows clients in the network is the reality we cannot close our eyes to this only because its challenge to implement it. >Linux is lacking a complete solution that acts as a "central authentication >and identity >management platform" I think also this is the only huge area in linux which is really missing. Just think about the huge potential of users and implementations if freeipa acts also as authentication instance for windows environments. Just we only (as small company with 8 persons) whould have the possibility for around 20 migrations this year. It just wage to dream a bit but from my point of view the authentication lack is the only remaining one which prevents the rest of the world (or even europe and switzerland) to massivly migrate to linux and opensource (at least on the server side). Regards Roland ----- Ursprüngliche Mail ----- Von: "Dmitri Pal" <d...@redhat.com> An: "Benjamin Vogt" <benjamin.v...@serv24.biz> CC: "Roland Kaeser" <roland.kae...@intersoft-networks.ch>, freeipa-de...@redhat.com, email@example.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts > as a "central authentication and identity management platform". I would like > to be able to use Linux as the IT backbone without having to resort to > Microsoft. The reality is that Windows clients are too widespread in most > enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. > As for reimplementing AD, is there any reason we could not use Samba 4 as a > backend? There are other interesting projects that build on it, such as > openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-de...@redhat.com; firstname.lastname@example.org > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing > FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is > excplicitly written that ad integration and samba 3 support will be one of > the features of v2. If not its completly unusable to me, and verisimilar also > to the most other potential users. Its sad, but in the most cases, sysadmins > have to deal with windows machines in their network. So at the moment they > have only the choice between a AD and a samba domain (with LDAP). FreeIPA > whould have so much potential if it acts as a central authentication and > identity management plaform which connects all the diffrent network systems > together Specially in a rhev environment with vdi infrastructures could it be > the central point for authentification, authorization and auditing. But if > the current intention will not change, freeipa will become just another pice > of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > ----- Ursprüngliche Mail ----- > Von: "Dmitri Pal" <d...@redhat.com> > An: "Roland Käser" <roland.kae...@intersoft-networks.ch> > CC: freeipa-de...@redhat.com, email@example.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server > Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of >> installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on > this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows > clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main > domain is going to be Samba 4 instead of AD it might work without installing > AD. But we do not plan to carry install and configure Samba 4 ourselves at > least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> ----- Ursprüngliche Mail ----- >> Von: "Dmitri Pal" <d...@redhat.com> >> An: "freeipa-devel" <freeipa-de...@redhat.com>, "." >> <firstname.lastname@example.org>, freeipa-inter...@redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server . >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us >> on our mailing list: email@example.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of >> the upcoming release. >> - For the first time the new UI is mostly operational and can be used >> to perform management of the system. >> - Some areas are still very rough and we will appreciate your help >> with those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It >> is still very rough but one can hopefully get a good understanding of >> how we plan the final UI to function and look like. >> - Replication management was significantly improved. Testing of multi >> replica configurations should be easier. >> - We are looking for a feedback about the DNS integration and >> networking issues you find in your environment configuring and using >> IPA with the embedded DNS enabled. >> >> Significant Changes Since Alpha 5 >> - FreeIPA has changed its license to GPLv3+ >> - Having IPA manage the reverse zone is optional. >> - The access control subsystem was re-written to be more understandable. >> For details see  >> - Support for SUDO rules >> - There is now a distinction between replicas and their replication >> agreements in the ipa-replica-manage command. It is now much easier to >> manage the replication topology. >> - Renaming entries is easier with the --rename option of the mod commands. >> - Fix special character handling in passwords, ensure that passwords >> are not logged. >> - Certificates can be saved as PEM files in service-show and host-show >> commands. >> - All IPA services are now started/stopped using the ipactl command. >> This gives us better control over the start/stop order during >> reboot/shutdown. >> - Set up ntpd first so the time is sane. >> - Better multi-valued value handle with --setattr and --addattr. >> - Add support for both RFC2307 and RFC2307bis to migration. >> - UID ranges were reduced by default from 1M to 200k. >> - Add ability to add/remove DNS records when adding/removing a host entry. >> - A number of i18n issues have been addressed. >> - Updated a lot of man pages. >> >> What is not Complete >> - We are still using older version of the Dogtag. New version of the >> Dogtag Certificate System will be based on tomcat6 and is forthcoming. >> - We plan to take advantage of Kerberos 1.9 that was released today >> but we have not finished the integration effort yet. >> >> Known Issues >> - IPV6 works in the installer but not the server itself >> - Make sure you machine can properly resolve its name before >> installing the server. Edit /etc/hosts to remove host name from the >> localhost and >> localhost6 lines if needed. >> - The UI is still rough in places<br>Use the following query  to >> see the tickets currently open against UI. >> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for >> the time being run: >> # ln -s /usr/share/java/xalan-j2-serializer.jar >> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar >> - Instead of Dogtag on F14 you can also try the self-signed CA which >> is similar to the CA that was provided in IPA v1. This was designed >> for testing and development and not recommended for deployment. >> - Make sure you enable updates-testing repository on your fedora machine. >> >> Thank you, >> FreeIPA development team >> >>  http://www.freeipa.org/page/Downloads >>  http://freeipa.org/page/Permissions >>  https://fedorahosted.org/freeipa/report/12 >> >> _______________________________________________ >> Freeipa-interest mailing list >> freeipa-inter...@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-interest >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- InterSoft Networks Roland Käser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 ------------------------------------------------------------------------------------------------------------------------------ Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) ------------------------------------------------------------------------------------------------------------------------------ _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users