[Samba] Samba4 and freeipa
Konstantin Kozlov
I want to try Samba4 using a working FreeIPA setup as LDAP/Kerberos
backend. Did anybody try it already? Or are there some known issues
about such combination?
Best regards,
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Andrew Bartlett
> Hello,
>
> I want to try Samba4 using a working FreeIPA setup as LDAP/Kerberos
> backend. Did anybody try it already? Or are there some known issues
> about such combination?
While there are some ideas about how Samba4 might bring windows client
support to FreeIPA, this isn't something even remotely possible at this
time.
The particular sticking points are that Windows clients expect an
AD-like LDAP and Kerberos server, not MIT kerberos and Fedora DS (with
FreeIPA schema). Samba4 can happily provide these services, but then
the FreeIPA clients will see an AD LDAP server.
I suspect the long-term solution will be to have Samba4 provide the KDC
and the LDAP server, and have FreeIPA clients know to use the LDAP
server on another IP address or port. (But I also know this proposed
solution will infuriate others).
The only part of this solution currently available is the LDAP backend,
which allows Samba4 to use an OpenLDAP or (less-well-supported) Fedora
DS server as a data store, using the AD schema.
Sorry,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
Andrew Bartlett
> On Tue, 2009-01-06 at 17:29 +1100, Andrew Bartlett wrote:
> > On Mon, 2008-12-22 at 15:43 +0300, Konstantin Kozlov wrote:
> > > Hello,
> > >
> > > I want to try Samba4 using a working FreeIPA setup as LDAP/Kerberos
> > > backend. Did anybody try it already? Or are there some known issues
> > > about such combination?
> >
> > While there are some ideas about how Samba4 might bring windows client
> > support to FreeIPA, this isn't something even remotely possible at this
> > time.
> >
> > The particular sticking points are that Windows clients expect an
> > AD-like LDAP and Kerberos server, not MIT kerberos and Fedora DS (with
> > FreeIPA schema). Samba4 can happily provide these services, but then
> > the FreeIPA clients will see an AD LDAP server.
>
> going to be one of the major issues to solve.
Yeah.
> > I suspect the long-term solution will be to have Samba4 provide the KDC
> > and the LDAP server, and have FreeIPA clients know to use the LDAP
> > server on another IP address or port. (But I also know this proposed
> > solution will infuriate others).
>
> I am not sure I can agree with this view. The point is that FreeIPA is
> not just a generic LDAP + Kerberos server, we are working in providing a
> number of features targeted specifically at unix-like hosts.
> Using an AD-like tree would kill a lot of these features or require
> other compromises that do not really make sense in a pure linux/unix
> environment.
Exactly. I'm not proposing that, because you are right, it would suck
to bend the whole world to Microsoft's ways. I should have made it
clear, my proposal is that FreeIPA would be unmodified in this respect,
but that somehow we would keep the AD-LDAP and FreeIPA-LDAP ports
seperate. (And because we control the FreeIPA clients more, perhaps it
could use a different port. Apparently XAD on eDirectory did this by
making Linux clients send a magic control)
Samba4 would then serve it's clients, FreeIPA it's clients (including
the vital policy work etc), the combined KDC would serve both, and the
LDAP implementations from each would serve the respective clients.
> I think Kerberos trusts (+ other glue for account enumeration) or
> synchronization are better solutions to get the best for each platform
> set (AD like for Windows, IPA like for *nix).
Given the madness that lies around Kerberos trusts, why not just have
one KDC? (given the progress MIT has made, it could certainly just be
more plugins to their KDC, or Samba4's Heimdal reading the shared
database)
> > The only part of this solution currently available is the LDAP backend,
> > which allows Samba4 to use an OpenLDAP or (less-well-supported) Fedora
> > DS server as a data store, using the AD schema.
>
> Another solution could be to have the LDAP backend provide different
> *views* depending on what is the client, I'd like to explore this
> possibility down the road, but it is too premature right now imo.
I think that would be very interesting. Or a proxy that somehow
redirects to the 'right' view, or something...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
simo
> Given the madness that lies around Kerberos trusts, why not just have
> one KDC? (given the progress MIT has made, it could certainly just be
> more plugins to their KDC, or Samba4's Heimdal reading the shared
> database)
At some point it would be nice, indeed, to get there, and the sooner we
can start thinking about that solution the better.
But in the short term we will have to support trusts anyway and in the
process we will learn more about what is needed by all clients and
servers alike.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <si...@samba.org>
Principal Software Engineer at Red Hat, Inc. <si...@redhat.com>
Simo Sorce
> > Hello,
> >
> > I want to try Samba4 using a working FreeIPA setup as LDAP/Kerberos
> > backend. Did anybody try it already? Or are there some known issues
> > about such combination?
>
> While there are some ideas about how Samba4 might bring windows client
> support to FreeIPA, this isn't something even remotely possible at this
> time.
>
> The particular sticking points are that Windows clients expect an
> AD-like LDAP and Kerberos server, not MIT kerberos and Fedora DS (with
> FreeIPA schema). Samba4 can happily provide these services, but then
> the FreeIPA clients will see an AD LDAP server.
MIT Kerberos is getting the missing bits samba4 needs, but the DIT is
going to be one of the major issues to solve.
> I suspect the long-term solution will be to have Samba4 provide the KDC
> and the LDAP server, and have FreeIPA clients know to use the LDAP
> server on another IP address or port. (But I also know this proposed
> solution will infuriate others).
I am not sure I can agree with this view. The point is that FreeIPA is
not just a generic LDAP + Kerberos server, we are working in providing a
number of features targeted specifically at unix-like hosts.
Using an AD-like tree would kill a lot of these features or require
other compromises that do not really make sense in a pure linux/unix
environment.
I think Kerberos trusts (+ other glue for account enumeration) or
synchronization are better solutions to get the best for each platform
set (AD like for Windows, IPA like for *nix).
> The only part of this solution currently available is the LDAP backend,
> which allows Samba4 to use an OpenLDAP or (less-well-supported) Fedora
> DS server as a data store, using the AD schema.
Another solution could be to have the LDAP backend provide different
*views* depending on what is the client, I'd like to explore this
possibility down the road, but it is too premature right now imo.
Simo.
--
Simo Sorce * Red Hat, Inc * New York