[Freeipa-users] FreeIPA integrating samba4 + AD
Christovam Paynes Silva
christovamps at gmail.com
Mon Sep 16 19:05:09 UTC 2013
2013/9/12 Dmitri Pal <dpal at redhat.com>
> On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote:
>
>
>
>
> 2013/9/11 Dmitri Pal <dpal at redhat.com>
>
>> On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote:
>>
>> It is a pity!
>> Thank you!
>>
>>
>>
>>
>> I did not get a feeling that we understand the whole picture correctly
>> to say that we provided the full answer..
>>
>> What I get from the description:
>> 1) Presence of Windows Clients = 100
>>
>
> Correct!
>
>
>> 2) Presence of AD to rule them
>>
>
> Correct!
>
> 3) Presence of users (I deduce in AD too, but unclear) = 1000
>>
>
> Correct! Users are wirelessly. Use windows and linux without domain.
>
>
>> Intent: use open source technologies instead of proprietary solution.
>>
>
> That's right!
>
>
>>
>> What is not clear:
>> a) Are the users that come through the portal the same users that use
>> Windows Clients or not? Is there an overlap?
>>
>
> Users are via wireless. Authenticate users on a "captive portal" with
> Squid. Customers are windows, linux and without domain.
>
>
>> b) Is there any kind of Linux servers/machines in the picture?
>>
>
> This question was not clear to me.
>
>
> FreeIPA is a domain controller for Linux/UNIX systems. It main value it to
> manage Linux environment inside your enterprise. It can manage users and
> groups too as any directory can. It can also authenticate users but its
> value is in creating a integrated Linux environment in terms of identity
> management. It seems that the setup you have does not actually have such
> Linux environment, i.e. Linux machines to join to IPA domain and manage.
> The question was: "Do you have Linux systems to manage?".
>
>
>
I have 5 servers. But that's just me working on them.
I believe we do not need the IPA.
I appreciate the attention.
Thank you.
>
>
>>
>> If you do not have Linux systems and all users can be stored in one place
>> it might be that you do not need FreeIPA. It might be that you can solve
>> the problem by using Samba4 instead of AD, connecting your clients to it,
>> putting your external portal users into a special OU in Samba4, configuring
>> FreeRADIUS to use this OU for authentication. Configure your portal to use
>> RADIUS.
>>
>
>
> Sorry, I may not have understood the concept of FreeIPA.
>
> I would like to continue using the AD, because of Group Policy Objects
> (GPO).
>
>
> You need to check whether Samba 4 supports GPO and to what extent.
>
> http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>
>
> It has the ability to authenticate email services, applications, among
> others directly in Samba4?
>
>
> Yes as with any LDAP server but if you are planning to use AD than you do
> not need Samba 4 either.
> You then point your mail service and applications to AD directly.
> Most of modern applications have some sort of LDAP integration for
> identity lookup and authentication. That means you would be able to point
> them to prety much any directory: AD, Samba4, IPA, 389 ...
>
>
>
>
>
>
>
>>
>> HTH
>>
>> Thanks
>> Dmitri
>>
>>
>>
>>
>>
>> 2013/9/11 Simo Sorce <simo at redhat.com>
>>
>>> On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote:
>>> > Hello Simo, thanks for the feedback.
>>> > I would use the Samba4 with AD and authenticate my clients windows in
>>> > FreeIPA.
>>> > Is this possible?
>>>
>>> It is not possible at this point to combine Samba4 AD and freeIPA.
>>>
>>> Simo.
>>> >
>>> > 2013/9/11 Simo Sorce <simo at redhat.com>
>>> > On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
>>> > wrote:
>>> > > Hello!
>>> > >
>>> > >
>>> > > First I apologize if this topic is redundant.
>>> > >
>>> > >
>>> > > I'm looking on the implementation of FreeIPA . Looking for
>>> > the
>>> > > forums , have some comments that authentication does not
>>> > work with
>>> > > Samba4 . Elsewhere say that that possibility exists . Today
>>> > we have
>>> > > nearly 200 computers in the domain with the "Active
>>> > Directory" and one
>>> > > wireless "captive portal" with 1000 + proxy users .
>>> > >
>>> > > I would like to see if the following scenario is possible :
>>> > > 1 - Integrating Samba4 with "Active Directory" , to use
>>> > their GPO and
>>> > > authenticate network users through the FreeIPA .
>>> > > 2 - Authenticate proxy servers in FreeIPA .
>>> > > 3 - And if it is possible some integration with FreeRADIUS
>>> > >
>>> >
>>> >
>>> > Hi Christovam, it is a bit unclear what you mean by
>>> > integrating here.
>>> >
>>> > Is your intent to use Samba4 as an AD domain controller for
>>> > your Windows
>>> > client s and IPA for your servers ?
>>> >
>>> > If that's the case unfortunately this is not possible at the
>>> > moment as
>>> > samba4 does not yet support Forest level trusts.
>>> > A Microsoft AD server can be used this way instead.
>>> >
>>> > Simo.
>>> >
>>> > --
>>> > Simo Sorce * Red Hat, Inc * New York
>>> >
>>> >
>>> >
>>>
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130916/7c43d255/attachment.htm>
More information about the Freeipa-users
mailing list