That is actually pretty good news.  The real requirement is network storage for 
the Windows workstations secured by FreeIPA authentication.  If I read what 
you’ve said correctly this is possible now.  I can live with the magical 
incantations to enrol any new Windows machines for now.  There are a few things 
that would work better if Windows thought it was logging on to a domain, but we 
have lived without those features for the last year.  Once a Windows machine 
has been set up correctly, which can be a bit hit and miss, the authentication 
works flawlessly .

It sounds as though I can set up the file server now and then extend it to do 
the AD DC bit when it is ready.

I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is 

Sent from Windows Mail

From: Alexander Bokovoy
Sent: ‎Tuesday‎, ‎30‎ ‎April‎ ‎2013 ‎18‎:‎01
To: Simon Williams
Cc: freeipa-users

On Tue, 30 Apr 2013, Simon Williams wrote:
>I don't know if anyone has tried what I want to do, I really just want to
>know if it's possible at the moment. A few pointers to any information
>would be helpful too!
Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC.

>I have an existing FreeIPA server running on a CentOS machine. It is used
>to authenticate all users on the network. This works very well, but setting
>up Windows workstations is a bit of a pain. I also want to provide some
>network storage for the windows machines. To this end, I would like to set
>up a Samba 4 server as a slave to FreeIPA so that the Windows workstations
>could join an AD domain controlled by Samba 4, but actually authenticating
>against FreeIPA. I really want to keep FreeIPA in the driving seat, but
>would love to be able to make the Windows workstations behave as though
>they were on a domain.
So you describe above several disconnected cases:
1. Samba file server (smbd) authenticating against FreeIPA.
2. Samba AD DC controlling its own Active Directory-compatible
deployment trusting FreeIPA deployment.

(1) is possible to implement with few caveats and some details are still
rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so.

For now, if there is cross-realm trust with Active Directory, each IPA
master which serves as domain controller (after ipa-adtrust-install was
run on it) could serve as file server but access control setup is a bit

(2) is not possible right now due to the fact that Samba AD DC does not
support cross-forest trusts right now. There is certain amount of work
to be done to implement needed logic in Samba.

/ Alexander Bokovoy
Freeipa-users mailing list

Reply via email to