[Freeipa-devel] Re: [Samba] Samba4 and freeipa

Simo Sorce ssorce at redhat.com
Wed Jan 7 23:59:38 GMT 2009

On Tue, 2009-01-06 at 17:29 +1100, Andrew Bartlett wrote:
> On Mon, 2008-12-22 at 15:43 +0300, Konstantin Kozlov wrote:
> > Hello,
> > 
> > I want to try Samba4 using a working FreeIPA setup as LDAP/Kerberos 
> > backend. Did anybody try it already? Or are there some known issues 
> > about such combination?
> While there are some ideas about how Samba4 might bring windows client
> support to FreeIPA, this isn't something even remotely possible at this
> time.  
> The particular sticking points are that Windows clients expect an
> AD-like LDAP and Kerberos server, not MIT kerberos and Fedora DS (with
> FreeIPA schema).  Samba4 can happily provide these services, but then
> the FreeIPA clients will see an AD LDAP server.  

MIT Kerberos is getting the missing bits samba4 needs, but the DIT is
going to be one of the major issues to solve.

> I suspect the long-term solution will be to have Samba4 provide the KDC
> and the LDAP server, and have FreeIPA clients know to use the LDAP
> server on another IP address or port.  (But I also know this proposed
> solution will infuriate others). 

I am not sure I can agree with this view. The point is that FreeIPA is
not just a generic LDAP + Kerberos server, we are working in providing a
number of features targeted specifically at unix-like hosts.
Using an AD-like tree would kill a lot of these features or require
other compromises that do not really make sense in a pure linux/unix

I think Kerberos trusts (+ other glue for account enumeration)  or
synchronization are better solutions to get the best for each platform
set (AD like for Windows, IPA like for *nix).

> The only part of this solution currently available is the LDAP backend,
> which allows Samba4 to use an OpenLDAP or (less-well-supported) Fedora
> DS server as a data store, using the AD schema.

Another solution could be to have the LDAP backend provide different
*views* depending on what is the client, I'd like to explore this
possibility down the road, but it is too premature right now imo.


Simo Sorce * Red Hat, Inc * New York

More information about the samba mailing list