Thanks for the feedback. In the past, were MS AD was already present, it was the working recipe in my experience. In this case, starting from scratch I would be happy to go with just one solution. I wasn't able to find documentation to implement sudoers or HBAC. Does it require schema extensions?, are they supported through regular CLI tools or they require direct LDAP manipulation?. If you could share any pointers to related documentation, it would be great. For some reason I'm failing to find them. Regards, CI.- On Wed, Nov 3, 2021, 09:07 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 2021-11-03 at 08:07 -0300, Cyrus via samba wrote: > > Good morning, > > > > I'm in the need to implement an Identity service for a mixed > > environment > > with Windows workstations & Linux systems with a common set of users. > > > > Would it be possible to implement Samba4 for the MS Windows realm and > > FreeIPA for the linux machines (where I expect to make use of HBAC & > > sudoers support)?. > > Why ? a Samba AD will provide authentication for Linux clients and it > will also do sudoers and hbac. To put it bluntly, you do not need > freeipa with Samba AD. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba >
On Wed, 2021-11-03 at 09:44 -0300, Cyrus wrote:> Thanks for the feedback. In the past, were MS AD was already present, > it was the working recipe in my experience. > > In this case, starting from scratch I would be happy to go with just > one solution. > > I wasn't able to find documentation to implement sudoers or HBAC. > Does it require schema extensions?, are they supported through > regular CLI tools or they require direct LDAP manipulation?. > > If you could share any pointers to related documentation, it would be > great. For some reason I'm failing to find them.Yes, you have to extend the AD schema for sudoers, then you use sudo with ldap. I can help with the first and there is quite a bit out there about the second. As for HBAC, presumably you can use GPO's for this and David Mulder would know about this, talking about his work with Samba AD and GPO's, he has provided another method for sudo. Rowland