Re: [Freeipa-users] FreeIPA integrating samba4 + AD
2013/9/12 Dmitri Pal d...@redhat.com On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote: 2013/9/11 Dmitri Pal d...@redhat.com On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 Correct! 2) Presence of AD to rule them Correct! 3) Presence of users (I deduce in AD too, but unclear) = 1000 Correct! Users are wirelessly. Use windows and linux without domain. Intent: use open source technologies instead of proprietary solution. That's right! What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? Users are via wireless. Authenticate users on a captive portal with Squid. Customers are windows, linux and without domain. b) Is there any kind of Linux servers/machines in the picture? This question was not clear to me. FreeIPA is a domain controller for Linux/UNIX systems. It main value it to manage Linux environment inside your enterprise. It can manage users and groups too as any directory can. It can also authenticate users but its value is in creating a integrated Linux environment in terms of identity management. It seems that the setup you have does not actually have such Linux environment, i.e. Linux machines to join to IPA domain and manage. The question was: Do you have Linux systems to manage?. I have 5 servers. But that's just me working on them. I believe we do not need the IPA. I appreciate the attention. Thank you. If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. Sorry, I may not have understood the concept of FreeIPA. I would like to continue using the AD, because of Group Policy Objects (GPO). You need to check whether Samba 4 supports GPO and to what extent. http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F It has the ability to authenticate email services, applications, among others directly in Samba4? Yes as with any LDAP server but if you are planning to use AD than you do not need Samba 4 either. You then point your mail service and applications to AD directly. Most of modern applications have some sort of LDAP integration for identity lookup and authentication. That means you would be able to point them to prety much any directory: AD, Samba4, IPA, 389 ... HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote: 2013/9/11 Dmitri Pal d...@redhat.com mailto:d...@redhat.com On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 Correct! 2) Presence of AD to rule them Correct! 3) Presence of users (I deduce in AD too, but unclear) = 1000 Correct! Users are wirelessly. Use windows and linux without domain. Intent: use open source technologies instead of proprietary solution. That's right! What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? Users are via wireless. Authenticate users on a captive portal with Squid. Customers are windows, linux and without domain. b) Is there any kind of Linux servers/machines in the picture? This question was not clear to me. FreeIPA is a domain controller for Linux/UNIX systems. It main value it to manage Linux environment inside your enterprise. It can manage users and groups too as any directory can. It can also authenticate users but its value is in creating a integrated Linux environment in terms of identity management. It seems that the setup you have does not actually have such Linux environment, i.e. Linux machines to join to IPA domain and manage. The question was: Do you have Linux systems to manage?. If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. Sorry, I may not have understood the concept of FreeIPA. I would like to continue using the AD, because of Group Policy Objects (GPO). You need to check whether Samba 4 supports GPO and to what extent. http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F It has the ability to authenticate email services, applications, among others directly in Samba4? Yes as with any LDAP server but if you are planning to use AD than you do not need Samba 4 either. You then point your mail service and applications to AD directly. Most of modern applications have some sort of LDAP integration for identity lookup and authentication. That means you would be able to point them to prety much any directory: AD, Samba4, IPA, 389 ... HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
2013/9/11 Dmitri Pal d...@redhat.com On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 Correct! 2) Presence of AD to rule them Correct! 3) Presence of users (I deduce in AD too, but unclear) = 1000 Correct! Users are wirelessly. Use windows and linux without domain. Intent: use open source technologies instead of proprietary solution. That's right! What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? Users are via wireless. Authenticate users on a captive portal with Squid. Customers are windows, linux and without domain. b) Is there any kind of Linux servers/machines in the picture? This question was not clear to me. If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. Sorry, I may not have understood the concept of FreeIPA. I would like to continue using the AD, because of Group Policy Objects (GPO). It has the ability to authenticate email services, applications, among others directly in Samba4? HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA integrating samba4 + AD
Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Thank you! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 2) Presence of AD to rule them 3) Presence of users (I deduce in AD too, but unclear) = 1000 Intent: use open source technologies instead of proprietary solution. What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? b) Is there any kind of Linux servers/machines in the picture? If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
It is a pity! Thank you! 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
