LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

New features for Fedora 18

New features for Fedora 18

Posted Aug 1, 2012 9:22 UTC (Wed) by ab (subscriber, #788)
In reply to: New features for Fedora 18 by drag
Parent article: New features for Fedora 18

IPA v3 will bring trusts with existing AD setup, that's first step. It will not be full blown AD DC but AD will treat IPA v3 users and machines as if they are from a native AD forest which will be enough for majority of use cases.

Getting Samba 4 AD DC out as proper AD DC is also important task. However, it should be viewed also in a perspective of being an application in a larger setup -- if you would run it in an isolated VM, you can already build your own samba4 package in Fedora for that purpose by changing few arguments to build process. It will use embedded Heimdal kerberos implementation. Unfortunately, you then cannot share the same VM with anything else relying on Kerberos in Fedora as those will be build against MIT Kerberos and use by default features unavailable in Heimdal like DIR: credential cache collections.

So in isolated environment it is already possible to build and use Samba 4 AD DC in Fedora 18 (Rawhide right now, of course). Integrating into distribution is a bit large scope and requires more effort.

(Log in to post comments)

New features for Fedora 18

Posted Aug 3, 2012 21:44 UTC (Fri) by drag (subscriber, #31333) [Link]

If I could set up Samba4 standalone with full AD support and then be able to set up some sort of trust relationship with a IPA v3 DC so that users and groups could be managed by either... then that would make me happy and fill the Windows requirements.

Also if SSSD could work with a standalone Samba4 domain then that would be great also.

I don't think that it's entirely necessary for IPA to be a AD compatible DC, although that would be ideal (less admin overhead, less stuff to break, etc). Having a requirement that a administrator must setup a standalone Windows or Samba4 DC then that would be fine, just as long as you can treat both in a identical manner.

New features for Fedora 18

Posted Aug 5, 2012 13:28 UTC (Sun) by ab (subscriber, #788) [Link]

Trust between Samba 4 AD DC and IPAv3 is not yet possible because Samba 4 AD DC does not support cross-forest trusts yet. Work is ongoing on that one. Once we'll (Samba Team) get cross-forest trusts working in Samba 4 AD DC, this setup will work automatically with IPAv3 cross-forest AD trusts.

SSSD can work with standalone Samba 4 AD DC domain already, either using LDAP or AD provider, it is cross-forest trusts that are not supported in Samba 4 AD DC yet.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds