Hi Alexander, Thank you very much for all that precious information.
> SSSD can but you need Samba to be aware of these things because Samba > needs way more than just passwords. FreeIPA uses different LDAP schema > for the additional attributes compared to what standard Samba PASSDB > module for LDAP expects so if you enable that one in smb.conf, you'll > get nothing. You're absolutely correct. Just after mailing you, I've been testing it and Samba can successfully connect to IPA's LDAP but didn't find password's backend. > As Christoph pointed in the another email, you may try to enable older > Samba-compatible scheme but that wouldn't play well with IPA's support > for SIDs (including on SSSD side) as we are using different attributes > and you'll be forced to maintain certain aspects manually. Then, I'd go for a straight-forward 389-DS instance with Samba schema and authenticate other servers and clients against it via LDAP + TLS over SSSD. I've got this setup running on production systems and works flawlessly for a couple of years now. I don't like very much patching here and there, and then having to fight with upstream updates that can broke something. Everything must (almost) work out of the box. > There is hope to get NTLMSSP support implemented but not soon, we have > bits in place but there is still work to be done. Your work with IPA is absolutely awesome. I follow the project from early versions and I'm a big proponent of moving to from my classic LDAP approach. I think IPA is the way to go for further deployments, but I understand that mixed environments (as mine) are complicated to solve: lots of work and many things that can be problematic. Again, thank you very much. Regards, A.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project