Hi Alexander,

Thank you very much for all that precious information.

>    SSSD can but you need Samba to be aware of these things because Samba
>    needs way more than just passwords. FreeIPA uses different LDAP schema
>    for the additional attributes compared to what standard Samba PASSDB
>    module for LDAP expects so if you enable that one in smb.conf, you'll
>    get nothing.

You're absolutely correct. Just after mailing you, I've been testing it and
Samba can successfully connect to IPA's LDAP but didn't find password's
backend.

>    As Christoph pointed in the another email, you may try to enable older
>    Samba-compatible scheme but that wouldn't play well with IPA's support
>    for SIDs (including on SSSD side) as we are using different attributes
>    and you'll be forced to maintain certain aspects manually.

Then, I'd go for a straight-forward 389-DS instance with Samba schema and
authenticate other servers and clients against it via LDAP + TLS over SSSD.
I've got this setup running on production systems and works flawlessly for
a couple of years now.

I don't like very much patching here and there, and then having to fight
with upstream updates that can broke something. Everything must (almost)
work out of the box.

>    There is hope to get NTLMSSP support implemented but not soon, we have
>    bits in place but there is still work to be done.

Your work with IPA is absolutely awesome. I follow the project from early
versions and I'm a big proponent of moving to from my classic LDAP approach.

I think IPA is the way to go for further deployments, but I understand that
mixed environments (as mine) are complicated to solve: lots of work and
many things that can be problematic.

Again, thank you very much.

Regards,

A.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to