[Samba] Future AD domain currently want FreeRadius Samba or FreeIPA?

[Andrew Bartlett]

On Fri, 2016-12-02 at 08:28 -0700, Jeff Sadowski via samba wrote:
> My main home server runs Fedora 25. I have experimented in the past
> with an
> Ubuntu samba AD domain controller(in a VM). Which was really cool
> because I
> could join Windows 10 pro machines to it and assign GPO's just like
> my AD
> at work. Currently I'm looking into setting up a FreeRadius server. I
> want
> to eventually be able to have the same authentication across machines
> and
> wifi and the lot. And I'd like to set up machines using GPO's. It
> looks
> like Fedora is working on getting FreeIPA as the LDAP for AD samba?
> Is this
> correct?
> 
> If I set up FreeIPA as my LDAP and connect my FreeRadius server to
> authenticate against it; would I then, in the not to distant future,
> be
> able to set up samba to use it for an AD domain that I could set up
> GPO's
> for?

No.  Samba can't use another LDAP server as a backend, when acting as
an AD DC.  We may be able to trust it with an inter-forest trust, but
that is a very different thing.

> Or would I be better of using my AD DC VM as my LDAP server?

I think so.

Andrew Bartlett