LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

New features for Fedora 18

New features for Fedora 18

Posted Aug 1, 2012 8:37 UTC (Wed) by drag (subscriber, #31333)
In reply to: New features for Fedora 18 by ab
Parent article: New features for Fedora 18

Being able to integrate IPA into Samba4 is certainly a very very awesome thing to do. Otherwise Fedora/Redhat will end up supporting two incompatible Kerberos/LDAP-based domain controller implementations.

Hopefully they can pull it off in such a way that no level of Active Directory compatibility will be lost. The ability to have a compatible AD implementation is a such as massive and important killer feature that it would be a fatal mistake to not take compatibility deadly seriously. It would be better to have two incompatible domain controller systems then it would be to have limited Windows/AD compatibility.

All in all it's very exiting. Kudos to the development groups behind this.

So far my experiences using and testing FreeIPA have been insanely positive. This with SSSD is a monumental step forward in terms of usability and effectiveness of Linux systems in a domain environment. Absolutely fantastic stuff. For people who are interested in network security or enterprise level domain controllers and have not taken time to evaluate FreeIPA on a Redhat/CentOS/Fedora system you are doing yourself a huge disservice!

This sort of stuff makes kerberos/ldap integration and support on the OS level deadly simple. Even doing something like taking a Debian host using a older revision of SSSD and having it join a FreeIPA 2 domain is almost laughably simple compared to the hell that was previously required with a more custom solution made up of configuring separate components like OpenLDAP + MIT kerberos.

And thinking that it can be possible to have compatibility with AD and thus be able to integrate Windows hosts naturally with Linux hosts can open up all sorts of new possibilities and markets. Lots of $$$ to be made by Redhat and anybody else that can manage to sell this support to corporations. (hint: Looking at you; Canonical)

Oh and integrating Kerberos support into web apps via the NSS apache module is very simple also. With a couple simple configuration modifications even Chrome/Chromium can support single sign on.

Very very cool stuff altogether.

(Log in to post comments)

New features for Fedora 18

Posted Aug 1, 2012 9:22 UTC (Wed) by ab (subscriber, #788) [Link]

IPA v3 will bring trusts with existing AD setup, that's first step. It will not be full blown AD DC but AD will treat IPA v3 users and machines as if they are from a native AD forest which will be enough for majority of use cases.

Getting Samba 4 AD DC out as proper AD DC is also important task. However, it should be viewed also in a perspective of being an application in a larger setup -- if you would run it in an isolated VM, you can already build your own samba4 package in Fedora for that purpose by changing few arguments to build process. It will use embedded Heimdal kerberos implementation. Unfortunately, you then cannot share the same VM with anything else relying on Kerberos in Fedora as those will be build against MIT Kerberos and use by default features unavailable in Heimdal like DIR: credential cache collections.

So in isolated environment it is already possible to build and use Samba 4 AD DC in Fedora 18 (Rawhide right now, of course). Integrating into distribution is a bit large scope and requires more effort.

New features for Fedora 18

Posted Aug 3, 2012 21:44 UTC (Fri) by drag (subscriber, #31333) [Link]

If I could set up Samba4 standalone with full AD support and then be able to set up some sort of trust relationship with a IPA v3 DC so that users and groups could be managed by either... then that would make me happy and fill the Windows requirements.

Also if SSSD could work with a standalone Samba4 domain then that would be great also.

I don't think that it's entirely necessary for IPA to be a AD compatible DC, although that would be ideal (less admin overhead, less stuff to break, etc). Having a requirement that a administrator must setup a standalone Windows or Samba4 DC then that would be fine, just as long as you can treat both in a identical manner.

New features for Fedora 18

Posted Aug 5, 2012 13:28 UTC (Sun) by ab (subscriber, #788) [Link]

Trust between Samba 4 AD DC and IPAv3 is not yet possible because Samba 4 AD DC does not support cross-forest trusts yet. Work is ongoing on that one. Once we'll (Samba Team) get cross-forest trusts working in Samba 4 AD DC, this setup will work automatically with IPAv3 cross-forest AD trusts.

SSSD can work with standalone Samba 4 AD DC domain already, either using LDAP or AD provider, it is cross-forest trusts that are not supported in Samba 4 AD DC yet.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds