<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000066"> Hi Simo, Stephen, I agree that in larger organisations there might be a need to keep both systems separate. In our case (~300 users) AD works just fine - but true is that apart of the identity & password management we require nothing else. That's said I appreciate your hard work and support even for the scenario below. I also hope that you won't dislike me if I continue to bombard you with questions/problems regarding Linux/Windows interoperability. :-) Eventually, even Microsoft has its own bright moments - last time they surprised me when I contacted microsoft support reporting that their LDAP servers (AD controllers) responds to connections via SASL/MD5 auth the way which breaks RFC (I could not get Linux automounter to work with AD). They admitted the bug and unveiled a patch for it. Ondrej On 10/03/2011 02:07 PM, Simo Sorce wrote: <blockquote cite="mid:1317643678.17819.6.camel@willson.li.ssimo.org" type="cite"> <pre wrap="">Ondrej, it depends on your company structure, complexity and goals and flexibility. If you join your Linux machines to an AD directory then you are tied very strictly, administratively and functionally to that directory. Given Windows Administration and Linux Administration are very diverse skills set, and very few admins are capable of doing both with maximum proficiency on both system we think that splitting your support organization between the Windows admin and Linux admins is a good thing. Each group can concentrate on its own tasks w/o too much interference and less need for coordinating. Also FreeIPA is targeted at serving Linux machines and has integrated HBAC, Sudo support and other goodies that are simply missing in the AD side as they are alien concepts in the Windows world. Of course small organization were a single admin group controlling both platfroms may decide having just one directory is the way to go. You have the freedom to choose. Simo. On Mon, 2011-10-03 at 12:45 +0200, Ondrej Valousek wrote: </pre> <blockquote type="cite"> <pre wrap="">Well, I think these advantages won't outweigh the extra complexity of having two systems for the same thing. But it is up to everyone's decision... Ondrej </pre> <blockquote type="cite"> <pre wrap="">- the error messages of an AD might be strange to deal with for unix/linux admins - While I expect Microsoft to test AD patches with Windows clients I do not expect them to test linux/unix clients. Resulting in possi- bility that patches of the AD break the communication to linux/unix clients. - Having important infrastructure like idendification/directory services running on OpenSource software is a good thing, apply all the OpenSource advantages here like beeing able to audit the code etc. Christian </pre> </blockquote> <pre wrap=""> ______________________________________________________________________ The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: <a class="moz-txt-link-abbreviated" href="mailto:communications@s3group.com">communications@s3group.com</a>. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 ______________________________________________________________________ _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> <pre wrap=""> </pre> </blockquote> <HR> The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 <HR> </body> </html>