On 11/3/21 7:07 AM, Cyrus via samba wrote:> Good morning, > > I'm in the need to implement an Identity service for a mixed environment > with Windows workstations & Linux systems with a common set of users. > > Would it be possible to implement Samba4 for the MS Windows realm and > FreeIPA for the linux machines (where I expect to make use of HBAC & > sudoers support)?.Yes, it is possible, but you will not get a single realm, you will have at least two and will need to setup cross realm trusts. As another replies have stated, you can do much of what you need with Samba alone. Unless you Linux clients and servers outnumber your Windows workstations, going with Samba AD alone is probably your best bet, because you are already immersed on the Windows client world, you will not have too much problem with having the need to use a Windows client to manage some of Samba AD features. On the other hand, if your fleet of machines is mainly Linux, like some of my installations where Windows is restricted to some management or special users that require it, while the other majority is full of OLTP application users running Linux. I would go with the dual installation, there are features that FreeIPA gives on these environments like an integrated Certificate authority and automated certificate distribution and renewal, that will requiredmanual integration on a Samba AD installation.> > Would make sense to have all the users in Samba4 or the other way around > (all users in FreeIPA). > > Any advice would be appreciated. > > Regards, > CI.- >
Thanks a lot. For this environment we have a 20/80 distribution, being 80% Linux servers, workstations & kiosks. Windows is indeed limited to some limited administrative user group (higher management & accounting department). I'm find with the dual realm, with all the users on one side & trust between both parties. Probably it makes sense to go dual setup in this case. Sudoers & HBAC feel more convenient with FreeIPAs WGUI/CLI. Regards, CI.- On Wed, Nov 3, 2021, 10:10 Robert Marcano via samba <samba at lists.samba.org> wrote:> On 11/3/21 7:07 AM, Cyrus via samba wrote: > > Good morning, > > > > I'm in the need to implement an Identity service for a mixed environment > > with Windows workstations & Linux systems with a common set of users. > > > > Would it be possible to implement Samba4 for the MS Windows realm and > > FreeIPA for the linux machines (where I expect to make use of HBAC & > > sudoers support)?. > > Yes, it is possible, but you will not get a single realm, you will have > at least two and will need to setup cross realm trusts. > > As another replies have stated, you can do much of what you need with > Samba alone. > > Unless you Linux clients and servers outnumber your Windows > workstations, going with Samba AD alone is probably your best bet, > because you are already immersed on the Windows client world, you will > not have too much problem with having the need to use a Windows client > to manage some of Samba AD features. > > On the other hand, if your fleet of machines is mainly Linux, like some > of my installations where Windows is restricted to some management or > special users that require it, while the other majority is full of OLTP > application users running Linux. I would go with the dual installation, > there are features that FreeIPA gives on these environments like an > integrated Certificate authority and automated certificate distribution > and renewal, that will requiredmanual integration on a Samba AD > installation. > > > > > Would make sense to have all the users in Samba4 or the other way around > > (all users in FreeIPA). > > > > Any advice would be appreciated. > > > > Regards, > > CI.- > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 11/3/21 7:09 AM, Robert Marcano via samba wrote:> > On the other hand, if your fleet of machines is mainly Linux, like some > of my installations where Windows is restricted to some management or > special users that require it, while the other majority is full of OLTP > application users running Linux. I would go with the dual installation, > there are features that FreeIPA gives on these environments like an > integrated Certificate authority and automated certificate distribution > and renewal, that will requiredmanual integration on a Samba AD > installation. >Samba integrates with the MS certificate authority via Certificate Auto Enrollment: https://wiki.samba.org/index.php/Group_Policy#Certificate_Auto_Enrollment And it is all automated via Group Policy. There is no manual integration required. -- *David Mulder* Labs Software Engineer, Samba SUSE 1800 Novell Place Provo, UT 84606 (P)+1 801.861.6571 dmulder at suse.com <http://www.suse.com/>