On Tue, 30 Apr 2013, Simon Williams wrote:

I don't know if anyone has tried what I want to do, I really just want to
know if it's possible at the moment. A few pointers to any information
would be helpful too!
Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC.

I have an existing FreeIPA server running on a CentOS machine. It is used
to authenticate all users on the network. This works very well, but setting
up Windows workstations is a bit of a pain. I also want to provide some
network storage for the windows machines. To this end, I would like to set
up a Samba 4 server as a slave to FreeIPA so that the Windows workstations
could join an AD domain controlled by Samba 4, but actually authenticating
against FreeIPA. I really want to keep FreeIPA in the driving seat, but
would love to be able to make the Windows workstations behave as though
they were on a domain.
So you describe above several disconnected cases:
1. Samba file server (smbd) authenticating against FreeIPA.
2. Samba AD DC controlling its own Active Directory-compatible
deployment trusting FreeIPA deployment.

(1) is possible to implement with few caveats and some details are still
rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so.

For now, if there is cross-realm trust with Active Directory, each IPA
master which serves as domain controller (after ipa-adtrust-install was
run on it) could serve as file server but access control setup is a bit

(2) is not possible right now due to the fact that Samba AD DC does not
support cross-forest trusts right now. There is certain amount of work
to be done to implement needed logic in Samba.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to