Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
New features for Fedora 18
Posted Aug 1, 2012 1:51 UTC (Wed) by augustz (guest, #37348)
Hopefully this is just the beginning and they can figure out how to add AD DC support back into Samba4 after removing it.
Posted Aug 1, 2012 2:16 UTC (Wed) by rahulsundaram (subscriber, #21946)
Posted Aug 1, 2012 7:28 UTC (Wed) by ab (subscriber, #788)
Posted Aug 1, 2012 8:37 UTC (Wed) by drag (subscriber, #31333)
Hopefully they can pull it off in such a way that no level of Active Directory compatibility will be lost. The ability to have a compatible AD implementation is a such as massive and important killer feature that it would be a fatal mistake to not take compatibility deadly seriously. It would be better to have two incompatible domain controller systems then it would be to have limited Windows/AD compatibility.
All in all it's very exiting. Kudos to the development groups behind this.
So far my experiences using and testing FreeIPA have been insanely positive. This with SSSD is a monumental step forward in terms of usability and effectiveness of Linux systems in a domain environment. Absolutely fantastic stuff. For people who are interested in network security or enterprise level domain controllers and have not taken time to evaluate FreeIPA on a Redhat/CentOS/Fedora system you are doing yourself a huge disservice!
This sort of stuff makes kerberos/ldap integration and support on the OS level deadly simple. Even doing something like taking a Debian host using a older revision of SSSD and having it join a FreeIPA 2 domain is almost laughably simple compared to the hell that was previously required with a more custom solution made up of configuring separate components like OpenLDAP + MIT kerberos.
And thinking that it can be possible to have compatibility with AD and thus be able to integrate Windows hosts naturally with Linux hosts can open up all sorts of new possibilities and markets. Lots of $$$ to be made by Redhat and anybody else that can manage to sell this support to corporations. (hint: Looking at you; Canonical)
Oh and integrating Kerberos support into web apps via the NSS apache module is very simple also. With a couple simple configuration modifications even Chrome/Chromium can support single sign on.
Very very cool stuff altogether.
Posted Aug 1, 2012 9:22 UTC (Wed) by ab (subscriber, #788)
Getting Samba 4 AD DC out as proper AD DC is also important task. However, it should be viewed also in a perspective of being an application in a larger setup -- if you would run it in an isolated VM, you can already build your own samba4 package in Fedora for that purpose by changing few arguments to build process. It will use embedded Heimdal kerberos implementation. Unfortunately, you then cannot share the same VM with anything else relying on Kerberos in Fedora as those will be build against MIT Kerberos and use by default features unavailable in Heimdal like DIR: credential cache collections.
So in isolated environment it is already possible to build and use Samba 4 AD DC in Fedora 18 (Rawhide right now, of course). Integrating into distribution is a bit large scope and requires more effort.
Posted Aug 3, 2012 21:44 UTC (Fri) by drag (subscriber, #31333)
Also if SSSD could work with a standalone Samba4 domain then that would be great also.
I don't think that it's entirely necessary for IPA to be a AD compatible DC, although that would be ideal (less admin overhead, less stuff to break, etc). Having a requirement that a administrator must setup a standalone Windows or Samba4 DC then that would be fine, just as long as you can treat both in a identical manner.
Posted Aug 5, 2012 13:28 UTC (Sun) by ab (subscriber, #788)
SSSD can work with standalone Samba 4 AD DC domain already, either using LDAP or AD provider, it is cross-forest trusts that are not supported in Samba 4 AD DC yet.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds