Sorry forgot last note:
>From my point of view, for the moment its not that much which is required. It 
>would only be supporting the samba ldap attributes in the ldap server and 
>extension of the management framework to create samba domains, users, groups 
>and machine accounts until samba 4 is stable (already hope for end of this 
>year). As far as I understand the problematics in windows kerberos and samba, 
>it should possible to connect the windows machines directly to the kerberos 
>server but have the windows related informations such as sid's etc. also 
>available though samba so login scripts and network wide security and single 
>sign on should be possible.


----- Ursprüngliche Mail -----
Von: "Dmitri Pal" <>
An: "Benjamin Vogt" <>
CC: "Roland Kaeser" <>,,
Gesendet: Montag, 3. Januar 2011 22:42:59
Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing 
FreeIPA v2 Server Beta 1 Release

Benjamin Vogt wrote:
> I have to agree with Roland. Linux is lacking a complete solution that acts 
> as a "central authentication and identity management platform". I would like 
> to be able to use Linux as the IT backbone without having to resort to 
> Microsoft. The reality is that Windows clients are too widespread in most 
> enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. 
> As for reimplementing AD, is there any reason we could not use Samba 4 as a 
> backend? There are other interesting projects that build on it, such as 
> openchange which could be a viable Exchange replacement.

We return to this discussion once in a while...
Samba 4 is intended to be a duplicate of AD this is how it is designed
and implemented. It is not nice to UNIX/Linux in the same way as AD is
not. This was one of the reasons we decided not to use Samba 4 as our
back end though we did a lot of research and analysis. You can search
archives from 2007/2008 for more details. What you are asking for is a
very appealing goal but unfortunately not something that can be easily
accomplished. Serving Windows clients by a non Windows server is a
challenge. Samba 4 tries to do it and still struggles after many years
of development. We definitely would look at Samba 4 again when we see it
sufficiently ready but this is not a priority for 2011.


> Regards,
> - Ben
> -----Original Message-----
> From: 
> [] On Behalf Of Roland Kaeser
> Sent: Monday, January 03, 2011 19:38
> To:;
> Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing 
> FreeIPA v2 Server Beta 1 Release
> Strange, even in the v2 outline ( is 
> excplicitly written that ad integration and samba 3 support will be one of 
> the features of v2. If not its completly unusable to me, and verisimilar also 
> to the most other potential users. Its sad, but in the most cases, sysadmins 
> have to deal with windows machines in their network. So at the moment they 
> have only the choice between a AD and a samba domain (with LDAP). FreeIPA 
> whould have so much potential if it acts as a central authentication and 
> identity management plaform which connects all the diffrent network systems 
> together Specially in a rhev environment with vdi infrastructures could it be 
> the central point for authentification, authorization and auditing. But if 
> the current intention will not change, freeipa will become just another pice 
> of unusable software which will die soon. Its very sad.
> Regards
> Roland
> ----- Ursprüngliche Mail -----
> Von: "Dmitri Pal" <>
> An: "Roland Käser" <>
> CC:,
> Gesendet: Montag, 3. Januar 2011 14:56:03
> Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server 
> Beta 1 Release
> Roland Kaeser wrote:
>> Hello
>> Great, I just tested it on F-13 and it runs fine so far. 
>> But I'm missing a very important feature (to me) which is: Samba Support.
>> Are there any plans to build samba support into freeipa 2? It would be 
>> very great to have on single authentication authority without the need of 
>> installing active directory.
>> Regards
>> Roland Kaeser
> There are no plans to integrate Samba in a way you describe. Our next goal on 
> this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows 
> clients natively is not something we have in mind.
> The intent however to pretend that IPA is yet another AD domain. If your main 
> domain is going to be Samba 4 instead of AD it might work without installing 
> AD. But we do not plan to carry install and configure Samba 4 ourselves at 
> least in the near future (read couple years).
> Thank you
> Dmitri
>> ----- Ursprüngliche Mail -----
>> Von: "Dmitri Pal" <>
>> An: "freeipa-devel" <>, "." 
>> <>,
>> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58
>> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 
>> Release
>> To all freeipa-interest, freeipa-users and freeipa-devel list members,
>> The FreeIPA project team is pleased to announce the availability of 
>> the Beta 1 release of freeIPA 2.0 server [1].
>> - Binaries are available for F-13 and F-14.
>> - With this beta freeIPA is feature complete.
>> - Please do not hesitate to share feedback, criticism or bugs with us 
>> on our mailing list:
>> Main Highlights of the Beta
>> - This beta is the first attempt to show all planned capabilities of 
>> the upcoming release.
>> - For the first time the new UI is mostly operational and can be used 
>> to perform management of the system.
>> - Some areas are still very rough and we will appreciate your help 
>> with those.
>> Focus of the Beta Testing
>> - Please take a moment and look at the new Web UI. Any feedback about 
>> the general approaches, work flows, and usability is appreciated. It 
>> is still very rough but one can hopefully get a good understanding of 
>> how we plan the final UI to function and look like.
>> - Replication management was significantly improved. Testing of multi 
>> replica configurations should be easier.
>> - We are looking for a feedback about the DNS integration and 
>> networking issues you find in your environment configuring and using 
>> IPA with the embedded DNS enabled.
>> Significant Changes Since Alpha 5
>> - FreeIPA has changed its license to GPLv3+
>> - Having IPA manage the reverse zone is optional.
>> - The access control subsystem was re-written to be more understandable.
>> For details see [2]
>> - Support for SUDO rules
>> - There is now a distinction between replicas and their replication 
>> agreements in the ipa-replica-manage command. It is now much easier to 
>> manage the replication topology.
>> - Renaming entries is easier with the --rename option of the mod commands.
>> - Fix special character handling in passwords, ensure that passwords 
>> are not logged.
>> - Certificates can be saved as PEM files in service-show and host-show 
>> commands.
>> - All IPA services are now started/stopped using the ipactl command.
>> This gives us better control over the start/stop order during 
>> reboot/shutdown.
>> - Set up ntpd first so the time is sane.
>> - Better multi-valued value handle with --setattr and --addattr.
>> - Add support for both RFC2307 and RFC2307bis to migration.
>> - UID ranges were reduced by default from 1M to 200k.
>> - Add ability to add/remove DNS records when adding/removing a host entry.
>> - A number of i18n issues have been addressed.
>> - Updated a lot of man pages.
>> What is not Complete
>> - We are still using older version of the Dogtag. New version of the 
>> Dogtag Certificate System will be based on tomcat6 and is forthcoming.
>> - We plan to take advantage of Kerberos 1.9 that was released today 
>> but we have not finished the integration effort yet.
>> Known Issues
>> - IPV6 works in the installer but not the server itself
>> - Make sure you machine can properly resolve its name before 
>> installing the server. Edit /etc/hosts to remove host name from the 
>> localhost and
>> localhost6 lines if needed.
>> - The UI is still rough in places<br>Use the following query [3] to 
>> see the tickets currently open against UI.
>> - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for 
>> the time being run:
>>   # ln -s /usr/share/java/xalan-j2-serializer.jar
>> /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar
>> - Instead of Dogtag on F14 you can also try the self-signed CA which 
>> is similar to the CA that was provided in IPA v1. This was designed 
>> for testing and development and not recommended for deployment.
>> - Make sure you enable updates-testing repository on your fedora machine.
>> Thank you,
>> FreeIPA development team
>> [1]
>> [2]
>> [3]
>> _______________________________________________
>> Freeipa-interest mailing list
> --
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> -------------------------------
> Looking to carve out IT costs?

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?


InterSoft Networks 
Roland Käser, Systems Engineer OpenSource 
Fulachstr. 197, 8200 Schaffhausen 
Tel: +41 77 415 79 11 
Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, 
werden am Ende keines von beiden haben - und verdienen es auch nicht. 
(Benjamin Franklin) 

Freeipa-users mailing list

Reply via email to