FreeIPA and Windows

Latest response

The only wish we had for the next redhat release is a fully integrated authentication and audit server (as freeipa) which also ____SUPPORTS___ Windows (client) machines.


I already discussed this in the freeipa list but it seems the don't wanna understand that this is the only thing which is currently really missing on the linux side. Everything else is nearly working as expected or brings the required functionality. We have now opensource technologies at our hands I've would ever have dreamed about when I started with Linux in 1997. 


The only thing which is REALLY REALLY missing, is this authentication system which works across the platforms.

We at our side __never__ install a windows directory server in our customer projects because we don't trust this system at all. So currenty we had to make ldap/samba installation because its the only thing which can handle this windows thing. 


For Us its really time to have something similar to active directory which really works and can compete with it in functionality.

We loose so much projects because we can't provide a system similar to ad. This must end NOW!


So please build the samba4/ad functionality in freeipa or help the samba guys to complete samba with the working fronted (preferrably web based)


Keep in mind that IPA and Samba have different goals.  There is a lot of cross-over.  But IPA is not designed to be an AD-replacement.  Samba 4 is.


Also keep in mind that Samba always plays "catch up" with the "moving target" that CIFS, SMB and AD are.  Samba might implement older Windows protocols better than newer Windows Server releases, but for the latest support, Samba is always going to lag.


IPA is more focused on managing open standard POSIX (UNIX/Linux) platforms.  It provides a "canned" solution using standard, and legacy compatible, implementations -- LDAP, Kerberos, Certificate, NTP, etc...  Unlike AD, IPA can provide out-of-box identity mangaement for not just Linux, but UNIX and other POSIX platforms.


If you're looking for the "magic bullet, universal support" solution, good luck.  Enterprise have not had that, not even with countless, costly AD add-ons.  Some come close with heavy customization of Red Hat Directory Server (RHDS), but even RHDS isn't talking "natively" to Windows clients and servers in many aspects.  So many enterprises rely on separate identity/management trees, and synchronize between them.  In this regard, AD+IPA will work well.


Or in the case of enterprises with Samba 4 for their Windows management, Samba+IPA will work even better.  But Samba won't be able to reverse engineer everything at any time for the latest Windows client and server expectations.  And even IPA will still be "too canned" for some POSIX environments, and AD+RHDS or Samba+RHDS will get the call there.


Again, I will re-emphasize that the "magic bullet, universal support" is a tall order that not even the Microsoft add-on world has addressed either.

with no great answer from me!  Authentication is a tricky bag.  As Bryan points out, there is no "magic bullet" solution - each has it's own limitations.


We have been running AD & LDAP side by side for Windows & Linux estates.  Moves have been made to either integrate to AD or sync passwords etc to the LDAP.  Nothing has come out as a good enough solution to be worth the effort in changing things at present.  Shame really.


I really like a lot of what FreeIPA does - but it has a rigid flat directory structure.  I like a lot of what RHDS does, but there are features in FreeIPA that I really want too.  Like a child in a sweetie shop - I can't decide which chocolate to have!


My "ideal scenario" would see a merging of FreeIPA and RHDS.  Or a meeting of minds at least.  With all of Samba4 functionallity too.  Oops - there I go again!