On Fri, Jun 7, 2013 at 8:00 PM, Fernando Lozano <ferna...@lozano.eti.br>wrote:
> Thanks for clarifications. We disagree in a few points
>
Understood. I find a lot of people (especially AD admins) don't have the
background to manage LDAP. So I'm naturally pushing them towards IPA.
> (and actually agree on more points) but healthy discussion is what makes
> thing improve.
>
And I agree with agree far, far more than we disagree. Thanx for taking
the time to note the 200 and 300 viewpoints I have.
> And here's a link I found, maybe I mixed this with my own conclusions
> ("RHEL6 won't ever support samba4 as a DC, maybe not even RHEL7") . If I
> find more data to support my clains I'll send to you, but I guess we had
> already enough on this topic on the LPI list, at least for a while. :-)
> https://lists.fedoraproject.org/pipermail/devel/2012-June/168253.html
>
Yes. You'll also find a very complementary Samba page from the exact same
time period, one year ago. [1]
In a nutshell:
- Red Hat made the decision to stick with MIT Kerberos a couple years back
- The Samba team heeded Red Hat and started taking MIT Kerberos patches
- Red Hat has clear goals for "Phase 1" of the MIT Kerberos support
Red Hat has already reached several of these goals, including ...
- Cross-Forest Trusts between AD and IPA
- Multi-realm (aka multi-domain) credentials for systems and users in SSSD
(as well as realmd)
Several of these items are as a result of using MIT Kerberos. E.g., if you
read in the Samba doc [1], MIT's "ccache format" is a something that Samba4
cannot use because of Heimdal. While multi-domain support is not a big
deal for a service, since it would belong in one domain, multi-domain does
become more of an issue on client systems, as well as with trusts between
domains and forests.
Several others are on-going, like modifying smbd to support principals from
other, trusted domains/forests. In fact, Samba 4.0.5+ has been integrating
these as part of patches related to MIT Kerberos and IPA support. Going the
other way, IPA is also exposing some oversights in current Samba DC
implementation as well, and the IPA teams have been offering to help
implement them for Samba DC. [2]
Hence why I keep hammering on the fact that IPA is likely the "way forward"
for most Enterprises when it comes to AD integration, including with Samba
servers. The Samba servers, running on Linux, could be in an IPA Forest,
even though users in AD Forests are accessing them. Many integration
aspects go beyond just "emulating an AD DC." All the meanwhile keeping the
Samba servers in a different Forest solves the issue of AD admins barking
about schema modifications. ;)
-- bjs
[1] https://wiki.samba.org/index.php/MIT_Build
[2] https://lists.samba.org/archive/samba-technical/2013-April/091345.html
--
Bryan J Smith - Professional, Technical Annoyance
b.j.smith at ieee.org - http://www.linkedin.com/in/bjsmith
_______________________________________________
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
