On pe, 20 heinä 2018, Pierre Labanowski via FreeIPA-users wrote:
I have a question about the best pratice use of freeipa with trust AD
and/or sync relationship from winsync users.
to set up an smb file sharing service via samba, would you advise to
integrate it in the IPA realm or in the AD domain?
Both are possible, but why one more than the other? in terms of file
access performance (metadata, acl ,etc....) managed via the smb
protocol isn't there a drawback related to samba in royaume ipa to
serve users who use a windows client?
Read notes on
NOTE: Only Kerberos authentication will work when accessing Samba shares
using this method. This means that Windows clients not joined to Active
Directory forest trusted by IPA would not be able to access the shares.
This is related to SSSD not yet being able to handle NTLMSSP
NOTE: When a Windows client accesses shares, Windows UI will need to be
able to resolve SIDs in access control lists. Inability to do so will
affect user experience and the way how applications are expected to work
with the share. A set of experiments in 2017 have demonstrated that
Microsoft does not test various fall backs around this behavior and only
consider the path used by Windows UI to communicate with a Global
Catalog service. It is also a 'client-specific' behavior and thus is not
subject of a protocol interoperability or being documented anywhere.
While for some applications/use cases it may work, it will not work for
many others, thus we cannot really qualify it as a supported solution
from FreeIPA side.
do you have the same response arguments in the case of a sync between
AD and IPA?
winsync does not affect your ability to operate a file server for
Windows clients because it doesn't help you here at all. It is
irrelevant, in other words, to the task.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland