I want to summarize our position regarding joining Windows systems into IPA.
1) If you already have AD we recommend using this system with AD and
using trusts between AD and IPA.
2) If you do not have AD then use Samba 4 instead of it. It would be
great when Samba 4 grows capability to establish trusts. Right now it
can't but there is an effort going on. If you are interested - please
3) If neither of the two options work for you you can configure Windows
system to work directly with IPA as described on the wiki. It is an
option of last resort because IPA does not provide the services windows
client expects. If this is good enough for you, fine by us.
4) Build a native Windows client (cred provider) for IPA using latest
Kerberos. IMO this would be really useful if someone does that because
we will not build this ourselves. With the native OTP support in IPA it
becomes a real business opportunity to provide a native 2FA inside
enterprise across multiple platforms. But please do it open source way
otherwise we would not recommend you ;-)
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list