That is actually pretty good news. The real requirement is network storage for
the Windows workstations secured by FreeIPA authentication. If I read what
you’ve said correctly this is possible now. I can live with the magical
incantations to enrol any new Windows machines for now. There are a few things
that would work better if Windows thought it was logging on to a domain, but we
have lived without those features for the last year. Once a Windows machine
has been set up correctly, which can be a bit hit and miss, the authentication
works flawlessly .
It sounds as though I can set up the file server now and then extend it to do
the AD DC bit when it is ready.
I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is
Sent from Windows Mail
From: Alexander Bokovoy
Sent: Tuesday, 30 April 2013 18:01
To: Simon Williams
On Tue, 30 Apr 2013, Simon Williams wrote:
>I don't know if anyone has tried what I want to do, I really just want to
>know if it's possible at the moment. A few pointers to any information
>would be helpful too!
Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC.
>I have an existing FreeIPA server running on a CentOS machine. It is used
>to authenticate all users on the network. This works very well, but setting
>up Windows workstations is a bit of a pain. I also want to provide some
>network storage for the windows machines. To this end, I would like to set
>up a Samba 4 server as a slave to FreeIPA so that the Windows workstations
>could join an AD domain controlled by Samba 4, but actually authenticating
>against FreeIPA. I really want to keep FreeIPA in the driving seat, but
>would love to be able to make the Windows workstations behave as though
>they were on a domain.
So you describe above several disconnected cases:
1. Samba file server (smbd) authenticating against FreeIPA.
2. Samba AD DC controlling its own Active Directory-compatible
deployment trusting FreeIPA deployment.
(1) is possible to implement with few caveats and some details are still
rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so.
For now, if there is cross-realm trust with Active Directory, each IPA
master which serves as domain controller (after ipa-adtrust-install was
run on it) could serve as file server but access control setup is a bit
(2) is not possible right now due to the fact that Samba AD DC does not
support cross-forest trusts right now. There is certain amount of work
to be done to implement needed logic in Samba.
/ Alexander Bokovoy
Freeipa-users mailing list