FreeIPA and Windows

Latest response

The only wish we had for the next redhat release is a fully integrated authentication and audit server (as freeipa) which also ____SUPPORTS___ Windows (client) machines.


I already discussed this in the freeipa list but it seems the don't wanna understand that this is the only thing which is currently really missing on the linux side. Everything else is nearly working as expected or brings the required functionality. We have now opensource technologies at our hands I've would ever have dreamed about when I started with Linux in 1997. 


The only thing which is REALLY REALLY missing, is this authentication system which works across the platforms.

We at our side __never__ install a windows directory server in our customer projects because we don't trust this system at all. So currenty we had to make ldap/samba installation because its the only thing which can handle this windows thing. 


For Us its really time to have something similar to active directory which really works and can compete with it in functionality.

We loose so much projects because we can't provide a system similar to ad. This must end NOW!


So please build the samba4/ad functionality in freeipa or help the samba guys to complete samba with the working fronted (preferrably web based)


Keep in mind that IPA and Samba have different goals.  There is a lot of cross-over.  But IPA is not designed to be an AD-replacement.  Samba 4 is.


Also keep in mind that Samba always plays "catch up" with the "moving target" that CIFS, SMB and AD are.  Samba might implement older Windows protocols better than newer Windows Server releases, but for the latest support, Samba is always going to lag.


IPA is more focused on managing open standard POSIX (UNIX/Linux) platforms.  It provides a "canned" solution using standard, and legacy compatible, implementations -- LDAP, Kerberos, Certificate, NTP, etc...  Unlike AD, IPA can provide out-of-box identity mangaement for not just Linux, but UNIX and other POSIX platforms.


If you're looking for the "magic bullet, universal support" solution, good luck.  Enterprise have not had that, not even with countless, costly AD add-ons.  Some come close with heavy customization of Red Hat Directory Server (RHDS), but even RHDS isn't talking "natively" to Windows clients and servers in many aspects.  So many enterprises rely on separate identity/management trees, and synchronize between them.  In this regard, AD+IPA will work well.


Or in the case of enterprises with Samba 4 for their Windows management, Samba+IPA will work even better.  But Samba won't be able to reverse engineer everything at any time for the latest Windows client and server expectations.  And even IPA will still be "too canned" for some POSIX environments, and AD+RHDS or Samba+RHDS will get the call there.


Again, I will re-emphasize that the "magic bullet, universal support" is a tall order that not even the Microsoft add-on world has addressed either.