| |||||||||||||
FreeIPA: centralized identity management for LinuxFreeIPA: centralized identity management for LinuxPosted Dec 13, 2012 16:57 UTC (Thu) by bkw1a (subscriber, #4101)Parent article: FreeIPA: centralized identity management for Linux
How does this relate to the AD functionality in the just-released Samba 4?
(Log in to post comments)
FreeIPA: centralized identity management for Linux Posted Dec 13, 2012 17:43 UTC (Thu) by drag (subscriber, #31333) [Link]
Nothing directly yet. Obviously they would love to have FreeIPA support Windows clients properly. Windows is very important to institutions nowadays and I expect that it's far easier and more effective to get AD to work with Linux then it is to get FreeIPA to work with Windows.
Samba 4 may be able to provide that 'AD connector' functionality for FreeIPA in the future, but last time I checked there remained lots of work to get to that point.
Not sure of any of the details.
FreeIPA: centralized identity management for Linux Posted Dec 13, 2012 17:49 UTC (Thu) by drag (subscriber, #31333) [Link]
A never mind. It is clear I need to do more reading up on the AD trust relationship feature.
FreeIPA: centralized identity management for Linux Posted Dec 14, 2012 0:25 UTC (Fri) by jldugger (subscriber, #57576) [Link]
It's just a Kerberos Trust; the O'Reilly Kerberos book explains them if you're curious.
FreeIPA: centralized identity management for Linux Posted Dec 14, 2012 11:49 UTC (Fri) by ab (subscriber, #788) [Link]
Samba4 AD DC does not support cross-realm trusts between different forests yet. Thus, it is not yet possible to use AD trusts feature of FreeIPA 3.x to connect two separate installs, Samba 4 AD DC and FreeIPA. Once we'll get cross-realm trusts working for cross-forest case in Samba 4 AD DC, an AD trust between FreeIPA and Samba 4 AD DC should start working as well.
Yes, it is mostly Kerberos trust once it is established, except for a lot of small details on verifying ticket extensions in MS-PAC structure (documented in MS-KILE spec) which change over time, and resolution of SIDs (MS-PAC records SIDs, not group or user names so one has to resolve them first to use) which is a complicated matter in complex topologies.
However, in order to establish AD trust one need to use SMB protocol and MS-RPC services. You may want to look at http://freeipa.org/page/IPAv3_Architecture to get some high level overview on what's happenning. The page has some outdated material though, I'm working on updating it as we speek.
FreeIPA: centralized identity management for Linux Posted Dec 13, 2012 18:04 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Quite badly, a year or so ago. There was no way to use Samba's Kerberos implementation with FreeIPA, the only way was to set up mirroring between two LDAP directories which was error-prone.
I have no idea if this has changed since.
FreeIPA: centralized identity management for Linux Posted Dec 14, 2012 0:27 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]
Lots of changes have happened in the last year. You should definitely look again
FreeIPA: centralized identity management for Linux Posted Dec 14, 2012 11:42 UTC (Fri) by ab (subscriber, #788) [Link]
You may read longer explanation at Fedora's feature page for Samba4:
https://fedoraproject.org/wiki/Features/Samba4
|
|||||||||||||