Thanks for all your help. I'll give it a go and see how far I get. <div class="gmail_quote">On 30 Apr 2013 19:37, "Alexander Bokovoy" <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Tue, 30 Apr 2013, <a href="mailto:simon.williams@thehelpfulcat.com" target="_blank">simon.williams@thehelpfulcat.com</a> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . </blockquote> To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. </blockquote> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I don’t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? </blockquote> The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See <a href="http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares" target="_blank">http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares</a> for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy </blockquote></div>