[Freeipa-devel] Re: [Samba] Samba4 and freeipa

Andrew Bartlett abartlet at samba.org
Thu Jan 8 00:38:07 GMT 2009

On Wed, 2009-01-07 at 18:59 -0500, Simo Sorce wrote:
> On Tue, 2009-01-06 at 17:29 +1100, Andrew Bartlett wrote:
> > On Mon, 2008-12-22 at 15:43 +0300, Konstantin Kozlov wrote:
> > > Hello,
> > > 
> > > I want to try Samba4 using a working FreeIPA setup as LDAP/Kerberos 
> > > backend. Did anybody try it already? Or are there some known issues 
> > > about such combination?
> > 
> > While there are some ideas about how Samba4 might bring windows client
> > support to FreeIPA, this isn't something even remotely possible at this
> > time.  
> > 
> > The particular sticking points are that Windows clients expect an
> > AD-like LDAP and Kerberos server, not MIT kerberos and Fedora DS (with
> > FreeIPA schema).  Samba4 can happily provide these services, but then
> > the FreeIPA clients will see an AD LDAP server.  
> MIT Kerberos is getting the missing bits samba4 needs, but the DIT is
> going to be one of the major issues to solve.


> > I suspect the long-term solution will be to have Samba4 provide the KDC
> > and the LDAP server, and have FreeIPA clients know to use the LDAP
> > server on another IP address or port.  (But I also know this proposed
> > solution will infuriate others). 
> I am not sure I can agree with this view. The point is that FreeIPA is
> not just a generic LDAP + Kerberos server, we are working in providing a
> number of features targeted specifically at unix-like hosts.
> Using an AD-like tree would kill a lot of these features or require
> other compromises that do not really make sense in a pure linux/unix
> environment.

Exactly.  I'm not proposing that, because you are right, it would suck
to bend the whole world to Microsoft's ways.  I should have made it
clear, my proposal is that FreeIPA would be unmodified in this respect,
but that somehow we would keep the AD-LDAP and FreeIPA-LDAP ports
seperate.  (And because we control the FreeIPA clients more, perhaps it
could use a different port.  Apparently XAD on eDirectory did this by
making Linux clients send a magic control)

Samba4 would then serve it's clients, FreeIPA it's clients (including
the vital policy work etc), the combined KDC would serve both, and the
LDAP implementations from each would serve the respective clients. 

> I think Kerberos trusts (+ other glue for account enumeration)  or
> synchronization are better solutions to get the best for each platform
> set (AD like for Windows, IPA like for *nix).

Given the madness that lies around Kerberos trusts, why not just have
one KDC? (given the progress MIT has made, it could certainly just be
more plugins to their KDC, or Samba4's Heimdal reading the shared

> > The only part of this solution currently available is the LDAP backend,
> > which allows Samba4 to use an OpenLDAP or (less-well-supported) Fedora
> > DS server as a data store, using the AD schema.
> Another solution could be to have the LDAP backend provide different
> *views* depending on what is the client, I'd like to explore this
> possibility down the road, but it is too premature right now imo.

I think that would be very interesting.  Or a proxy that somehow
redirects to the 'right' view, or something...

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20090108/8189eb28/attachment.bin

More information about the samba mailing list