On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote:
That is actually pretty good news.  The real requirement is network
storage for the Windows workstations secured by FreeIPA authentication.
If I read what you’ve said correctly this is possible now.  I can live
with the magical incantations to enrol any new Windows machines for
now.  There are a few things that would work better if Windows thought
it was logging on to a domain, but we have lived without those features
for the last year.  Once a Windows machine has been set up correctly,
which can be a bit hit and miss, the authentication works flawlessly .
To be clear, we have not tested this combination so you'll be in uncharted

Since TGT for these users would still be issued by FreeIPA KDC, it would
include MS-PAC with SIDs of these users in FreeIPA domain -- once you
have run ipa-adtrust-install, of course. Thus, smbd on IPA master would
be able to recognize them as FreeIPA users regardless where they come
from -- IPA or Windows machines, as long as Kerberos is in use.

Any reports of how such setup would actually behave are welcomed.

It sounds as though I can set up the file server now and then extend it
to do the AD DC bit when it is ready.

I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo
anywhere is there?
The only requirements for simplistic setup is to:
1. run file server on IPA master (you can make a dedicated replica for that)
2. run ipa-adtrust-install on that master to setup Samba configuration
   and enable KDC + directory server to handle SIDs
3. use 'net conf setparm ...' to setup shares, since Samba on IPA master
   uses registry backend to store smb.conf configuration.

for sample how to work with 'net conf setparm'.

For 'valid users' I guess you can use simply user names since these
would be our local ones.

Again, this is completely untested right now.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to