LWN: Comments on "FreeIPA: centralized identity management for Linux"

FreeIPA: centralized identity management for Linux

rwmj — Sat, 22 Dec 2012 16:20:51 +0000

Slightly late, but I have a Free IPA pint glass! Conference swag from c.2008. Unfortunately it's an american pint, so it's a bit too small for a real pint of beer, but you can't have everything ...

FreeIPA: centralized identity management for Linux

ab — Fri, 14 Dec 2012 11:49:21 +0000

Samba4 AD DC does not support cross-realm trusts between different forests yet. Thus, it is not yet possible to use AD trusts feature of FreeIPA 3.x to connect two separate installs, Samba 4 AD DC and FreeIPA. Once we'll get cross-realm trusts working for cross-forest case in Samba 4 AD DC, an AD trust between FreeIPA and Samba 4 AD DC should start working as well.

Yes, it is mostly Kerberos trust once it is established, except for a lot of small details on verifying ticket extensions in MS-PAC structure (documented in MS-KILE spec) which change over time, and resolution of SIDs (MS-PAC records SIDs, not group or user names so one has to resolve them first to use) which is a complicated matter in complex topologies.

However, in order to establish AD trust one need to use SMB protocol and MS-RPC services. You may want to look at http://freeipa.org/page/IPAv3_Architecture to get some high level overview on what's happenning. The page has some outdated material though, I'm working on updating it as we speek.

FreeIPA: centralized identity management for Linux

ab — Fri, 14 Dec 2012 11:42:22 +0000

You may read longer explanation at Fedora's feature page for Samba4:
https://fedoraproject.org/wiki/Features/Samba4

FreeIPA: centralized identity management for Linux

rahulsundaram — Fri, 14 Dec 2012 00:27:49 +0000

Lots of changes have happened in the last year. You should definitely look again

FreeIPA: centralized identity management for Linux

jldugger — Fri, 14 Dec 2012 00:25:29 +0000

It's just a Kerberos Trust; the O'Reilly Kerberos book explains them if you're curious.

FreeIPA: centralized identity management for Linux

Los__D — Thu, 13 Dec 2012 21:33:33 +0000

MMmmm.... Free IPAs! (sorry!)

FreeIPA: centralized identity management for Linux

Cyberax — Thu, 13 Dec 2012 18:04:46 +0000

Quite badly, a year or so ago. There was no way to use Samba's Kerberos implementation with FreeIPA, the only way was to set up mirroring between two LDAP directories which was error-prone.

I have no idea if this has changed since.

FreeIPA: centralized identity management for Linux

drag — Thu, 13 Dec 2012 17:49:32 +0000

A never mind. It is clear I need to do more reading up on the AD trust relationship feature.

FreeIPA: centralized identity management for Linux

drag — Thu, 13 Dec 2012 17:43:09 +0000

Nothing directly yet. Obviously they would love to have FreeIPA support Windows clients properly. Windows is very important to institutions nowadays and I expect that it's far easier and more effective to get AD to work with Linux then it is to get FreeIPA to work with Windows.

Samba 4 may be able to provide that 'AD connector' functionality for FreeIPA in the future, but last time I checked there remained lots of work to get to that point.

Not sure of any of the details.

Deployments out in the wild?

drag — Thu, 13 Dec 2012 17:39:56 +0000

I <3 FreeIPA

On numerous different occasions I have attempted to setup LDAP + Kerberos systems using the older approach of using OpenLDAP, MIT Krb5, and that sort of thing. Done it semi-successfully a few times.

And it's, generally speaking, terrible. Nscd sucks, OpenLDAP requires too much configuration to get it working, no client side caching, and adding new nodes to the domain was irritating and not to mention the almost complete lack of end-user tools for routine administrative tasks like adding new users and such things.

FreeIPA solves all those problems. It 'just works' with a sane and workable configuration out of the box. It has SSSD now, which is fantastic. It has some halfway decent GUI tools for routine admin tasks. Adding nodes to the domain is a breeze. Got NFSv4 working with it very easily.

In addition the standardization around Mozilla's NSS and integration of tools to automatically generate and manage certificates promises to help resolve that mess, too. Not quite there, but standardizing the libraries and utilities helps a lot.

It's not up to par with Active Directory, but it's a _MASSIVE_ step forward.

FreeIPA: centralized identity management for Linux

bkw1a — Thu, 13 Dec 2012 16:57:24 +0000

How does this relate to the AD functionality in the just-released Samba 4?

Deployments out in the wild?

janfrode — Thu, 13 Dec 2012 10:39:49 +0000

I'm in the process of migrating into IPA (the Red Hat version), coming from a (Sun Identity Managed) LDAP/389ds directory hosting users, groups, netgroups, sudorules and distributing pam_access configs for HBAC. IPA is a perfect fit for this, and IPA provided scripts for migrating users/groups from LDAP to IPA easily, and IPA will also convert LDAP passwords to kerberos on first login. Quite nice.

We don't use NTP or DNS from IPA, as we have other systems for that. We've copied all users, groups, netgroups and created HBAC rules to replace the pam_access system we use on non-IPA servers. We haven't converted the LDAP sudo-rules to IPA yet, but that should be easy enough.

Most of our servers are running RHEL5 and RHEL6, but not many are migrated into IPA yet. Mostly because of lack of time / other priorities, but also because we've been hitting some problems with SSSD crashing on the RHEL5 clients (have a hot fix for it from RH now).

So, currently we use IPA for doing plain LDAP bind() authentication on some systems (works just the same as our old LDAP directory), full IPA clients on some RHEL6 servers, IPA is the authentication system for our RHEV installation. We're also looking into replicating between IPA and Active Directory, so that we can have the same userdatabase on both Windows and Linux servers.

I'm very much looking forward to killing the Sun Identity Managed LDAP directory, and have a complete kerberized environment with managed by IPA.

Deployments out in the wild?

dowdle — Thu, 13 Dec 2012 06:16:24 +0000

Anyone using FreeIPA out in the wild? If so, please report your experience, and basic configuration setup... what options are in play?