Thank you very much for all that precious information.
> SSSD can but you need Samba to be aware of these things because Samba
> needs way more than just passwords. FreeIPA uses different LDAP schema
> for the additional attributes compared to what standard Samba PASSDB
> module for LDAP expects so if you enable that one in smb.conf, you'll
> get nothing.
You're absolutely correct. Just after mailing you, I've been testing it and
Samba can successfully connect to IPA's LDAP but didn't find password's
> As Christoph pointed in the another email, you may try to enable older
> Samba-compatible scheme but that wouldn't play well with IPA's support
> for SIDs (including on SSSD side) as we are using different attributes
> and you'll be forced to maintain certain aspects manually.
Then, I'd go for a straight-forward 389-DS instance with Samba schema and
authenticate other servers and clients against it via LDAP + TLS over SSSD.
I've got this setup running on production systems and works flawlessly for
a couple of years now.
I don't like very much patching here and there, and then having to fight
with upstream updates that can broke something. Everything must (almost)
work out of the box.
> There is hope to get NTLMSSP support implemented but not soon, we have
> bits in place but there is still work to be done.
Your work with IPA is absolutely awesome. I follow the project from early
versions and I'm a big proponent of moving to from my classic LDAP approach.
I think IPA is the way to go for further deployments, but I understand that
mixed environments (as mine) are complicated to solve: lots of work and
many things that can be problematic.
Again, thank you very much.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project