On Sat, 21 Sep 2013, Fred van Zwieten wrote:
Hold on. This has, in principle, nothing to do with FreeIPA. I have a SAMBA
server that I make a NT-4 style PDC en build a trust with an AD domain. The
only thing is that the SAMBA service runs on a server that is an
IPA-client. In this setup the system is member of IPA and the SAMBA service
running on it is member of it's own NT-4 Domain. Afaik NT-4 style domains
do nothing with kerberos nor with DNS. So, no name clashes.

Sure. What this PDC would use as user/group/password databases?
Existing FreeIPA setup does not provide you needed objectclasses to
support ldapsam PASSDB module, we utilize different schema to store
passwords and SIDs.

If you have AD domain, you already can have trust with AD using features
provided by FreeIPA 3.x. But you can join Windows PC already to that AD
domain. What is purpose of making another NT4-style domain?

Even if the NT4-style domain is there, would it be in forest with AD
domain? If yes, then its members would only get access to FreeIPA
resources with upcoming FreeIPA 3.4 where subdomains (domains of the
trusted forest other than its root) would be supported -- again, with
Kerberos only, since we don't use winbindd to perform lookups for the
users in FreeIPA 3.3+. By definition that NT4-style domain would not
support Kerberos, thus loosing way to follow trust path.

If you don't have AD domain, making another NT4-style domain backed by
the same FreeIPA database via some module and then force Windows PC to join
the domain via that DC would in theory allow access to other FreeIPA
services. I'm not sure though if this is going to work with Windows 7
and above as they are trying to resolve DNS and use SRV records first
and prefer to follow AD join path if found, so you'd need to play
firewall and other games with convincing them being off path.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to