<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote:
<blockquote
cite="mid:CAFJPc5yCFTL_Sj86dJX7x2zW=XyXQOnLQqKzY07pQ+9nX7_1Tw@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/9/11 Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im"> On 09/11/2013 04:02 PM, Christovam
Paynes Silva wrote:
<blockquote type="cite">
<div dir="ltr">
<div>It is a pity!</div>
<div>Thank you!</div>
</div>
</blockquote>
<br>
<br>
<br>
</div>
I did not get a feeling that we understand the whole
picture correctly to say that we provided the full
answer..<br>
<br>
What I get from the description:<br>
1) Presence of Windows Clients = 100</div>
</blockquote>
<div><br>
</div>
<div>Correct!<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 2) Presence of AD
to rule them<br>
</div>
</blockquote>
<div> </div>
<div>Correct!<br>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 3) Presence of
users (I deduce in AD too, but unclear) = 1000<br>
</div>
</blockquote>
<div><br>
</div>
<div>Correct! Users are wirelessly. Use windows and linux
without domain.<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Intent: use open
source technologies instead of proprietary solution.<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>
<div>That's right!</div>
</div>
</div>
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
What is not clear: <br>
a) Are the users that come through the portal the same
users that use Windows Clients or not? Is there an
overlap?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Users are via wireless. Authenticate users on a
"captive portal" with Squid. Customers are windows, linux
and without domain.<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> b) Is there any
kind of Linux servers/machines in the picture?<br>
</div>
</blockquote>
<div><br>
</div>
<div>This question was not clear to me.</div>
</div>
</div>
</div>
</blockquote>
<br>
FreeIPA is a domain controller for Linux/UNIX systems. It main value
it to manage Linux environment inside your enterprise. It can manage
users and groups too as any directory can. It can also authenticate
users but its value is in creating a integrated Linux environment in
terms of identity management. It seems that the setup you have does
not actually have such Linux environment, i.e. Linux machines to
join to IPA domain and manage. <br>
The question was: "Do you have Linux systems to manage?".<br>
<br>
<blockquote
cite="mid:CAFJPc5yCFTL_Sj86dJX7x2zW=XyXQOnLQqKzY07pQ+9nX7_1Tw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
If you do not have Linux systems and all users can be
stored in one place it might be that you do not need
FreeIPA. It might be that you can solve the problem by
using Samba4 instead of AD, connecting your clients to
it, putting your external portal users into a special OU
in Samba4, configuring FreeRADIUS to use this OU for
authentication. Configure your portal to use RADIUS.<br>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>
<div>Sorry, I may not have understood the concept of
FreeIPA.</div>
<div><br>
</div>
<div>I would like to continue using the AD, because of
Group Policy Objects (GPO).</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
You need to check whether Samba 4 supports GPO and to what extent.<br>
<a class="moz-txt-link-freetext" href="http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F">http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F</a><br>
<br>
<blockquote
cite="mid:CAFJPc5yCFTL_Sj86dJX7x2zW=XyXQOnLQqKzY07pQ+9nX7_1Tw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div>It has the ability to authenticate email services,
applications, among others directly in Samba4?</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Yes as with any LDAP server but if you are planning to use AD than
you do not need Samba 4 either.<br>
You then point your mail service and applications to AD directly.<br>
Most of modern applications have some sort of LDAP integration for
identity lookup and authentication. That means you would be able to
point them to prety much any directory: AD, Samba4, IPA, 389 ...<br>
<br>
<br>
<blockquote
cite="mid:CAFJPc5yCFTL_Sj86dJX7x2zW=XyXQOnLQqKzY07pQ+9nX7_1Tw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
HTH<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<br>
<br>
<blockquote type="cite">
<div>
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/9/11 Simo Sorce <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:simo@redhat.com"
target="_blank">simo@redhat.com</a>></span><br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>On Wed, 2013-09-11 at 16:37 -0300,
Christovam Paynes Silva wrote:<br>
> Hello Simo, thanks for the feedback.<br>
> I would use the Samba4 with AD and
authenticate my clients windows in<br>
> FreeIPA.<br>
> Is this possible?<br>
<br>
</div>
It is not possible at this point to combine
Samba4 AD and freeIPA.<br>
<span><font color="#888888"><br>
Simo.<br>
</font></span>
<div>
<div>><br>
> 2013/9/11 Simo Sorce <<a
moz-do-not-send="true"
href="mailto:simo@redhat.com"
target="_blank">simo@redhat.com</a>><br>
> On Wed, 2013-09-11 at 14:06
-0300, Christovam Paynes Silva<br>
> wrote:<br>
> > Hello!<br>
> ><br>
> ><br>
> > First I apologize if
this topic is redundant.<br>
> ><br>
> ><br>
> > I'm looking on the
implementation of FreeIPA . Looking for<br>
> the<br>
> > forums , have some
comments that authentication does not<br>
> work with<br>
> > Samba4 . Elsewhere say
that that possibility exists . Today<br>
> we have<br>
> > nearly 200 computers
in the domain with the "Active<br>
> Directory" and one<br>
> > wireless "captive
portal" with 1000 + proxy users .<br>
> ><br>
> > I would like to see if
the following scenario is possible :<br>
> > 1 - Integrating Samba4
with "Active Directory" , to use<br>
> their GPO and<br>
> > authenticate network
users through the FreeIPA .<br>
> > 2 - Authenticate proxy
servers in FreeIPA .<br>
> > 3 - And if it is
possible some integration with
FreeRADIUS<br>
> ><br>
><br>
><br>
> Hi Christovam, it is a bit
unclear what you mean by<br>
> integrating here.<br>
><br>
> Is your intent to use
Samba4 as an AD domain controller for<br>
> your Windows<br>
> client s and IPA for your
servers ?<br>
><br>
> If that's the case
unfortunately this is not possible at
the<br>
> moment as<br>
> samba4 does not yet support
Forest level trusts.<br>
> A Microsoft AD server can
be used this way instead.<br>
><br>
> Simo.<br>
><br>
> --<br>
> Simo Sorce * Red Hat, Inc *
New York<br>
><br>
><br>
><br>
<br>
<br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span class=""><font color="#888888"> </font></span></blockquote>
<span class=""><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>