Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
>We return to this discussion once in a while... > >Samba 4 tries to do it and still struggles after many years >of development. We definitely would look at Samba 4 again when we see it >Sufficiently ready but this is not a priority for 2011. Maybe this is the reason why freeipa has that less users and nearly no echo in the linux community. >Samba 4 is intended to be a duplicate of AD this is how it is designed >and implemented. The problem here is that samba 4 is still alpha. >I would like to be able to use Linux as the IT backbone without having to >resort to Microsoft. This also our most implemented scenario. Only in last year we migrated a half a dozend companies away from microsoft and AD (on the server side). This year a lot of companies are already planned for migration. Specially with the knowledge in mind that (based on the change of microsofts licensing model for hosters) around 1000 companies only in switzerland will switch their abacus (www.abacus.ch, large erp for switzerland) platform to linux so its REALLY, REALLY (I cannot write how much I would like to accentuate this) important to have a network wide authentication and identity management software to build up large linux server environments with windows frontents. So, having windows clients in the network is the reality we cannot close our eyes to this only because its challenge to implement it. >Linux is lacking a complete solution that acts as a "central authentication >and identity >management platform" I think also this is the only huge area in linux which is really missing. Just think about the huge potential of users and implementations if freeipa acts also as authentication instance for windows environments. Just we only (as small company with 8 persons) whould have the possibility for around 20 migrations this year. It just wage to dream a bit but from my point of view the authentication lack is the only remaining one which prevents the rest of the world (or even europe and switzerland) to massivly migrate to linux and opensource (at least on the server side). Regards Roland - Ursprüngliche Mail - Von: "Dmitri Pal" An: "Benjamin Vogt" CC: "Roland Kaeser" , freeipa-de...@redhat.com, freeipa-users@redhat.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts > as a "central authentication and identity management platform". I would like > to be able to use Linux as the IT backbone without having to resort to > Microsoft. The reality is that Windows clients are too widespread in most > enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. > As for reimplementing AD, is there any reason we could not use Samba 4 as a > backend? There are other interesting projects that build on it, such as > openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-de...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing > FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is > excplicitly written that ad integration and samba 3 support will be one of > the features of v2. If not its completly unusable to me, and verisimilar also > to the most other potential users. Its sad, but in the most cases, sysadmins > have to deal with windows machines in their network. So at the moment they > have only the choice between a AD and a samba domain (with LDAP). FreeIPA > whould have so much potential if it acts as a central authentication and > identity management plaform which connects all the diffrent network systems > to
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
Sorry forgot last note: >From my point of view, for the moment its not that much which is required. It >would only be supporting the samba ldap attributes in the ldap server and >extension of the management framework to create samba domains, users, groups >and machine accounts until samba 4 is stable (already hope for end of this >year). As far as I understand the problematics in windows kerberos and samba, >it should possible to connect the windows machines directly to the kerberos >server but have the windows related informations such as sid's etc. also >available though samba so login scripts and network wide security and single >sign on should be possible. Roland - Ursprüngliche Mail - Von: "Dmitri Pal" An: "Benjamin Vogt" CC: "Roland Kaeser" , freeipa-de...@redhat.com, freeipa-users@redhat.com Gesendet: Montag, 3. Januar 2011 22:42:59 Betreff: Re: [Freeipa-devel] [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts > as a "central authentication and identity management platform". I would like > to be able to use Linux as the IT backbone without having to resort to > Microsoft. The reality is that Windows clients are too widespread in most > enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. > As for reimplementing AD, is there any reason we could not use Samba 4 as a > backend? There are other interesting projects that build on it, such as > openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-de...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing > FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is > excplicitly written that ad integration and samba 3 support will be one of > the features of v2. If not its completly unusable to me, and verisimilar also > to the most other potential users. Its sad, but in the most cases, sysadmins > have to deal with windows machines in their network. So at the moment they > have only the choice between a AD and a samba domain (with LDAP). FreeIPA > whould have so much potential if it acts as a central authentication and > identity management plaform which connects all the diffrent network systems > together Specially in a rhev environment with vdi infrastructures could it be > the central point for authentification, authorization and auditing. But if > the current intention will not change, freeipa will become just another pice > of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > - Ursprüngliche Mail - > Von: "Dmitri Pal" > An: "Roland Käser" > CC: freeipa-de...@redhat.com, freeipa-users@redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server > Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of >> installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on > this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows > clients natively is not something we have in mind. > The intent however to pretend t
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
On 1/4/11 1:04 AM, "Roland Kaeser" wrote: >>We return to this discussion once in a while... >> >>Samba 4 tries to do it and still struggles after many years >>of development. We definitely would look at Samba 4 again when we see it >>Sufficiently ready but this is not a priority for 2011. > >Maybe this is the reason why freeipa has that less users and nearly no >echo in the linux community. I disagree Roland. The linux community at large, is generally living in the dark ages of authorization management. There are no comparative comprehensive linux solutions in the community thus far which actually address scalable authentication and authorization from linux systems by a linux solution. My observation of the quiet in the community is due to lack of solutions out there. /etc/access.conf, pam_ldap, Certify, hosts.allow are very primitive means to control access with to linux client. Regardless of how complex you make your authentication database, to this day, you are still limited to: pam_ldap, access.conf, Certify, hosts.allow... These are very primitive means to control access with to linux client. With FreeIPA and SSSD, the first means of providing real RBAC/HBAC is available to the Open Source community. We cannot and should not attempt to explain the quiet with answers of disinterest or lack of Microsoft support. The fact is, there has not yet been a competent linux solution and as a result the utilization of pure Linux environments has been stunted with people settling for things like, /etc/passwd, /etc/access.conf, pam_ldap, and NIS... What you are describing is the reinventing of the wheel. Which has previously been answered: If the goal is to provide an alternative linux authentication/authorization method for Microsoft Windows, then there are already existing solutions out there: Samba4, Novell eDirectory + Directory Services for Windows... FreeIPA serves to facilitate some of the most basic authentication/authorization interactions that other OS's have taken for granted for years. > >>Samba 4 is intended to be a duplicate of AD this is how it is designed >>and implemented. >The problem here is that samba 4 is still alpha. > >>I would like to be able to use Linux as the IT backbone without having >>to resort to Microsoft. >This also our most implemented scenario. Only in last year we migrated a >half a dozend companies away from microsoft and AD (on the server side). >This year a lot of companies are already planned for migration. Specially >with the knowledge in mind that (based on the change of microsofts >licensing model for hosters) around 1000 companies only in switzerland >will switch their abacus (www.abacus.ch, large erp for switzerland) >platform to linux so its REALLY, REALLY (I cannot write how much I would >like to accentuate this) important to have a network wide authentication >and identity management software to build up large linux server >environments with windows frontents. >So, having windows clients in the network is the reality we cannot close >our eyes to this only because its challenge to implement it. Microsoft has designed a complete ecosystem to surround its client, server, email, and productivity solutions. It's not just a challenge to implement a successful means of replacing the backend, it is directly opposed to the goals of its creator: Microsoft. The various components within Microsoft's (and most commercial) solutions are designed at their core to be proprietary with the effort of drawing in consumers to more pieces of their puzzle. It is entirely likely that it will be necessary to have both solutions in place and working together, rather than attempting to circumvent Microsoft's solution. > >>Linux is lacking a complete solution that acts as a "central >>authentication and identity >management platform" >I think also this is the only huge area in linux which is really missing. > Just think about the huge potential of users and implementations if >freeipa acts also as authentication instance for windows environments. >Just we only (as small company with 8 persons) whould have the >possibility for around 20 migrations this year. It just wage to dream a >bit but from my point of view the authentication lack is the only >remaining one which prevents the rest of the world (or even europe and >switzerland) to massivly migrate to linux and opensource (at least on the >server side). While I agree that a truly unified solution which answers all clients authentication needs is a worthwhile concept, in practice, throughout my entire career, I've learned that the commercial design of this ecosystem conflicts with this ambitious ideal. I have had a great deal of experience in highly dense and distributed (world wide) native Linux installations which service Windows Clients. All tools are best used by their intended design. If the only tool you have is a Hammer, you may approach all of your problems as if they are nails. ~~ Jr A
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
Benjamin Vogt wrote: > I have to agree with Roland. Linux is lacking a complete solution that acts > as a "central authentication and identity management platform". I would like > to be able to use Linux as the IT backbone without having to resort to > Microsoft. The reality is that Windows clients are too widespread in most > enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. > As for reimplementing AD, is there any reason we could not use Samba 4 as a > backend? There are other interesting projects that build on it, such as > openchange which could be a viable Exchange replacement. > We return to this discussion once in a while... Samba 4 is intended to be a duplicate of AD this is how it is designed and implemented. It is not nice to UNIX/Linux in the same way as AD is not. This was one of the reasons we decided not to use Samba 4 as our back end though we did a lot of research and analysis. You can search archives from 2007/2008 for more details. What you are asking for is a very appealing goal but unfortunately not something that can be easily accomplished. Serving Windows clients by a non Windows server is a challenge. Samba 4 tries to do it and still struggles after many years of development. We definitely would look at Samba 4 again when we see it sufficiently ready but this is not a priority for 2011. Thanks Dmitri > Regards, > - Ben > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser > Sent: Monday, January 03, 2011 19:38 > To: freeipa-de...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing > FreeIPA v2 Server Beta 1 Release > > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is > excplicitly written that ad integration and samba 3 support will be one of > the features of v2. If not its completly unusable to me, and verisimilar also > to the most other potential users. Its sad, but in the most cases, sysadmins > have to deal with windows machines in their network. So at the moment they > have only the choice between a AD and a samba domain (with LDAP). FreeIPA > whould have so much potential if it acts as a central authentication and > identity management plaform which connects all the diffrent network systems > together Specially in a rhev environment with vdi infrastructures could it be > the central point for authentification, authorization and auditing. But if > the current intention will not change, freeipa will become just another pice > of unusable software which will die soon. Its very sad. > > Regards > > Roland > > > - Ursprüngliche Mail - > Von: "Dmitri Pal" > An: "Roland Käser" > CC: freeipa-de...@redhat.com, freeipa-users@redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server > Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be >> very great to have on single authentication authority without the need of >> installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next goal on > this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows > clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your main > domain is going to be Samba 4 instead of AD it might work without installing > AD. But we do not plan to carry install and configure Samba 4 ourselves at > least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> - Ursprüngliche Mail - >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-inter...@redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 >> Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of >> the Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or b
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
I have to agree with Roland. Linux is lacking a complete solution that acts as a "central authentication and identity management platform". I would like to be able to use Linux as the IT backbone without having to resort to Microsoft. The reality is that Windows clients are too widespread in most enterprises. So far, I don't see the benefits in upgrading from FreeIPA 1.2. As for reimplementing AD, is there any reason we could not use Samba 4 as a backend? There are other interesting projects that build on it, such as openchange which could be a viable Exchange replacement. Regards, - Ben -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roland Kaeser Sent: Monday, January 03, 2011 19:38 To: freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. Regards Roland - Ursprüngliche Mail - Von: "Dmitri Pal" An: "Roland Käser" CC: freeipa-de...@redhat.com, freeipa-users@redhat.com Gesendet: Montag, 3. Januar 2011 14:56:03 Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be > very great to have on single authentication authority without the need of > installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > - Ursprüngliche Mail - > Von: "Dmitri Pal" > An: "freeipa-devel" , "." > , freeipa-inter...@redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 > Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of > the Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us > on our mailing list: freeipa-users@redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of > the upcoming release. > - For the first time the new UI is mostly operational and can be used > to perform management of the system. > - Some areas are still very rough and we will appreciate your help > with those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It > is still very rough but one can hopefully get a good understanding of > how we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and > networking issues you find in your environment configuring and using > IPA with the embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem wa
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
On Mon, Jan 03, 2011 at 07:37:51PM +0100, Roland Kaeser wrote: > Its sad, but in the most cases, sysadmins have to deal with > windows machines in their network. True, but IMHO the strategy FreeIPA is currently following in doing interop with crossrealm-trusts is the ony longterm way to go. Spending efforts to make FreeIPA behave like another exact-AD-clone is wasting resources; samba4 is already good in doing this special task. Yet its interesting to see how stable samba4-operation in windows-AD-environments will be since one cannot be sure the samba4-project will be notified of protocol-changes etc. Crossrealm is used in some environments and Microsoft did also help with debugging of problems. FreeIPA could be base for a linux/unix-worlds AD, bringing in all the good things about opensource software. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is excplicitly written that ad integration and samba 3 support will be one of the features of v2. If not its completly unusable to me, and verisimilar also to the most other potential users. Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. So at the moment they have only the choice between a AD and a samba domain (with LDAP). FreeIPA whould have so much potential if it acts as a central authentication and identity management plaform which connects all the diffrent network systems together Specially in a rhev environment with vdi infrastructures could it be the central point for authentification, authorization and auditing. But if the current intention will not change, freeipa will become just another pice of unusable software which will die soon. Its very sad. Regards Roland - Ursprüngliche Mail - Von: "Dmitri Pal" An: "Roland Käser" CC: freeipa-de...@redhat.com, freeipa-users@redhat.com Gesendet: Montag, 3. Januar 2011 14:56:03 Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be very > great to have on single > authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > - Ursprüngliche Mail - > Von: "Dmitri Pal" > An: "freeipa-devel" , "." > , freeipa-inter...@redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users@redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of the > upcoming release. > - For the first time the new UI is mostly operational and can be used to > perform management of the system. > - Some areas are still very rough and we will appreciate your help with > those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It is > still very rough but one can hopefully get a good understanding of how > we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and networking > issues you find in your environment configuring and using IPA with the > embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords are > not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on t
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
Roland Kaeser wrote: > Strange, even in the v2 outline (http://www.freeipa.org/page/V2Outline) is > excplicitly written that ad integration and samba 3 support will be one of > the features of v2. I guess there is some misinterpretation. Samba 3 does not provide a way to integrate contemporary Windows clients. The Samba 3 integration mentioned in the outline is the integration of Samba 3 as a CIFS server. > If not its completly unusable to me, and verisimilar also to the most other > potential users. It is assumed that most of the current users currently have AD in their environment anyways. We are not putting a goal of taking over the world and replacing AD altogether. Rather we plan to inter operate with it. > Its sad, but in the most cases, sysadmins have to deal with windows machines > in their network. So at the moment they have only the choice between a AD and > a samba domain (with LDAP). Samba 4 is the alternative to AD. > FreeIPA whould have so much potential if it acts as a central authentication > and identity management plaform which connects all the diffrent network > systems together It will connect by allowing cross kerberos trust with AD/Samba 4 but its goal is not to replace AD as a primary identity server for Windows clients. It is just not possible to do other than re-implement AD which Samba 4 already does. So if you want to move away from AD you might take advantage of Samba 4 as a replacement for your AD and using cross kerberos trusts allow SSO with IPA environment. At some point we might make this integration more automatic but this is not on the road map for now. > Specially in a rhev environment with vdi infrastructures could it be the > central point for authentification, authorization and auditing. Absolutely! RHEV environment is something we definitely have in mind and the cross kerberos trust solution we plan for v3 should address this use case. It is the question of how complete will be the implementation of the trusts. Depending on time we might go for the higher priority use cases (IPA is a resource domain ) than the full trust required for VDI to work the way you envision. But still VDI is a significant use case we have in mind. > But if the current intention will not change, freeipa will become just > another pice of unusable software which will die soon. Its very sad. > > The intention is to be realistic and not require drastic changes to existing environments where AD is dominating. > Regards > > Roland > > > - Ursprüngliche Mail - > Von: "Dmitri Pal" > An: "Roland Käser" > CC: freeipa-de...@redhat.com, freeipa-users@redhat.com > Gesendet: Montag, 3. Januar 2011 14:56:03 > Betreff: Re: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server > Beta 1 Release > > Roland Kaeser wrote: > >> Hello >> >> Great, I just tested it on F-13 and it runs fine so far. >> But I'm missing a very important feature (to me) which is: Samba Support. >> >> Are there any plans to build samba support into freeipa 2? It would be very >> great to have on single >> authentication authority without the need of installing active directory. >> >> Regards >> >> Roland Kaeser >> >> >> > > There are no plans to integrate Samba in a way you describe. Our next > goal on this path is to allow cross Kerberos trusts (IPA v3) but > supporting Windows clients natively is not something we have in mind. > The intent however to pretend that IPA is yet another AD domain. If your > main domain is going to be Samba 4 instead of AD it might work without > installing AD. But we do not plan to carry install and configure Samba 4 > ourselves at least in the near future (read couple years). > > Thank you > Dmitri > > > > > >> - Ursprüngliche Mail - >> Von: "Dmitri Pal" >> An: "freeipa-devel" , "." >> , freeipa-inter...@redhat.com >> Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 >> Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release >> >> To all freeipa-interest, freeipa-users and freeipa-devel list members, >> >> The FreeIPA project team is pleased to announce the availability of the >> Beta 1 release of freeIPA 2.0 server [1]. >> - Binaries are available for F-13 and F-14. >> - With this beta freeIPA is feature complete. >> - Please do not hesitate to share feedback, criticism or bugs with us on >> our mailing list: freeipa-users@redhat.com >> >> Main Highlights of the Beta >> - This beta is the first attempt to show all planned capabilities of the >> upcoming release. >> - For the first time the new UI is mostly operational and can be used to >> perform management of the system. >> - Some areas are still very rough and we will appreciate your help with >> those. >> >> Focus of the Beta Testing >> - Please take a moment and look at the new Web UI. Any feedback about >> the general approaches, work flows, and usability is appreciated. It is >> still very rough but one can hopefully get a good understanding of how >> we p
Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release
Roland Kaeser wrote: > Hello > > Great, I just tested it on F-13 and it runs fine so far. > But I'm missing a very important feature (to me) which is: Samba Support. > > Are there any plans to build samba support into freeipa 2? It would be very > great to have on single > authentication authority without the need of installing active directory. > > Regards > > Roland Kaeser > > There are no plans to integrate Samba in a way you describe. Our next goal on this path is to allow cross Kerberos trusts (IPA v3) but supporting Windows clients natively is not something we have in mind. The intent however to pretend that IPA is yet another AD domain. If your main domain is going to be Samba 4 instead of AD it might work without installing AD. But we do not plan to carry install and configure Samba 4 ourselves at least in the near future (read couple years). Thank you Dmitri > - Ursprüngliche Mail - > Von: "Dmitri Pal" > An: "freeipa-devel" , "." > , freeipa-inter...@redhat.com > Gesendet: Donnerstag, 23. Dezember 2010 09:06:58 > Betreff: [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release > > To all freeipa-interest, freeipa-users and freeipa-devel list members, > > The FreeIPA project team is pleased to announce the availability of the > Beta 1 release of freeIPA 2.0 server [1]. > - Binaries are available for F-13 and F-14. > - With this beta freeIPA is feature complete. > - Please do not hesitate to share feedback, criticism or bugs with us on > our mailing list: freeipa-users@redhat.com > > Main Highlights of the Beta > - This beta is the first attempt to show all planned capabilities of the > upcoming release. > - For the first time the new UI is mostly operational and can be used to > perform management of the system. > - Some areas are still very rough and we will appreciate your help with > those. > > Focus of the Beta Testing > - Please take a moment and look at the new Web UI. Any feedback about > the general approaches, work flows, and usability is appreciated. It is > still very rough but one can hopefully get a good understanding of how > we plan the final UI to function and look like. > - Replication management was significantly improved. Testing of multi > replica configurations should be easier. > - We are looking for a feedback about the DNS integration and networking > issues you find in your environment configuring and using IPA with the > embedded DNS enabled. > > Significant Changes Since Alpha 5 > - FreeIPA has changed its license to GPLv3+ > - Having IPA manage the reverse zone is optional. > - The access control subsystem was re-written to be more understandable. > For details see [2] > - Support for SUDO rules > - There is now a distinction between replicas and their replication > agreements in the ipa-replica-manage command. It is now much easier to > manage the replication topology. > - Renaming entries is easier with the --rename option of the mod commands. > - Fix special character handling in passwords, ensure that passwords are > not logged. > - Certificates can be saved as PEM files in service-show and host-show > commands. > - All IPA services are now started/stopped using the ipactl command. > This gives us better control over the start/stop order during > reboot/shutdown. > - Set up ntpd first so the time is sane. > - Better multi-valued value handle with --setattr and --addattr. > - Add support for both RFC2307 and RFC2307bis to migration. > - UID ranges were reduced by default from 1M to 200k. > - Add ability to add/remove DNS records when adding/removing a host entry. > - A number of i18n issues have been addressed. > - Updated a lot of man pages. > > What is not Complete > - We are still using older version of the Dogtag. New version of the > Dogtag Certificate System will be based on tomcat6 and is forthcoming. > - We plan to take advantage of Kerberos 1.9 that was released today but > we have not finished the integration effort yet. > > Known Issues > - IPV6 works in the installer but not the server itself > - Make sure you machine can properly resolve its name before installing > the server. Edit /etc/hosts to remove host name from the localhost and > localhost6 lines if needed. > - The UI is still rough in placesUse the following query [3] to see > the tickets currently open against UI. > - Dogtag does not work out-of-the-box on Fedora 14. To fix it for for > the time being run: > # ln -s /usr/share/java/xalan-j2-serializer.jar > /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar > - Instead of Dogtag on F14 you can also try the self-signed CA which is > similar to the CA that was provided in IPA v1. This was designed for > testing and development and not recommended for deployment. > - Make sure you enable updates-testing repository on your fedora machine. > > Thank you, > FreeIPA development team > > [1] http://www.freeipa.org/page/Downloads > [2] http://freeipa.org/page/Permissions > [3] https://fedorahosted.org/freeipa/report/12 >