[Freeipa-users] Samba 4 with IPA

[Alexander Bokovoy]

On Tue, 30 Apr 2013, Simon Williams wrote:
>Hi
>
>I don't know if anyone has tried what I want to do, I really just want to
>know if it's possible at the moment. A few pointers to any information
>would be helpful too!
Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC.

>I have an existing FreeIPA server running on a CentOS machine. It is used
>to authenticate all users on the network. This works very well, but setting
>up Windows workstations is a bit of a pain. I also want to provide some
>network storage for the windows machines. To this end, I would like to set
>up a Samba 4 server as a slave to FreeIPA so that the Windows workstations
>could join an AD domain controlled by Samba 4, but actually authenticating
>against FreeIPA. I really want to keep FreeIPA in the driving seat, but
>would love to be able to make the Windows workstations behave as though
>they were on a domain.
So you describe above several disconnected cases:
1. Samba file server (smbd) authenticating against FreeIPA.
2. Samba AD DC controlling its own Active Directory-compatible
deployment trusting FreeIPA deployment.

(1) is possible to implement with few caveats and some details are still
rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so.

For now, if there is cross-realm trust with Active Directory, each IPA
master which serves as domain controller (after ipa-adtrust-install was
run on it) could serve as file server but access control setup is a bit
complex.

(2) is not possible right now due to the fact that Samba AD DC does not
support cross-forest trusts right now. There is certain amount of work
to be done to implement needed logic in Samba.

-- 
/ Alexander Bokovoy