[Freeipa-devel] freeIPA as a samba backend
Alexander Bokovoy
abokovoy at redhat.com
Tue Jun 26 20:14:38 UTC 2012
On Tue, 26 Jun 2012, Endi Sukma Dewata wrote:
>On 6/26/2012 12:53 PM, Rich Megginson wrote:
>>>>IPA will keep all of your passwords in sync - userPassword,
>>>>sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389
>>>>cannot do this - the functionality that does this is provided by an
>>>>IPA password plugin. Openldap has a similar plugin, but I think it
>>>>is "contrib" and not "officially supported".
>>>
>>>I know that Endi did the work to make 389 be a viable back end for
>>>Samba and it passed all the Samba torture tests so I am not sure I
>>>agree with you.
>>
>>Was that for samba4 or samba3?
>
>It was for Samba 4, but that was done a while ago. I'm not sure the
>current status of the code. It worked up to some point, but it's no
>longer maintained due to lack of OpenLDAP experts to make further
>modification since this involves Samba code that are shared between
>both backends.
Samba4 deprecated LDAP backend long time ago. Only ldb backend is
supported.
smbd in Samba4 is still using the same PDB interface as Samba 3 and has
traditional ldapsam module that Loris is using (most likely). For Samba4
AD DC integration it has few Samba4 specific modules, both for PDB and
VFS interfaces.
ipasam module in FreeIPAv3 is expansion of ldapsam to support trusted
domains and works with smbd from Samba4. This module is using new schema
for Samba-specific attributes introduced in FreeIPAv3, which values are
co-maintained by various slapd plugins and ipasam, as well as new
FreeIPA kdb driver for MIT Kerberos KDC.
Turning back to original Dmitri's question: besides file serving
capabilities, what are other use cases that could be solved by a
combination of FreeIPA and Samba member server? As FreeIPA provides
alternative means to join machines to a single realm (FreeIPA Kerberos
realm) and maintain them reliably with sssd, Samba DC functionality
in pure FreeIPA setup seems to be of less importance.
If there is a need to join Windows machines to FreeIPA setup without
utilizing Active Directory domain, then I'd like also to hear how
important is that. Right now we miss few capabilities in FreeIPAv3
to make Samba 4's smbd a non-Active Directory DC (a.k.a. classic NT-style
domain with enhanced encryption) and knowing how important this integrated
setup is would help prioritising features.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list