What is Reddit's opinion of FreeIPA?

From 3.5 billion Reddit comments

FreeIPA is the closest thing to a complete AD replacement that I am aware of. It provides not only the directory component, but all of the attendant policy and trust components. FreeIPA also provides good documentation for things like cross realm trusts with support for AD. It's possible to put all of the pieces together on your own, of course, but FreeIPA is a good place to start.

Well, there's a AFAIK easy way to do it, pGina. Allows Windows to authenticate against, among other things, LDAP.

Sadly, haven't had a chance to try it out yet, so can't vouch for it's correctness. It also won't help with managing the Windows boxes beyond user accounts, for that a proper Windows domain is propably the best solution.

Considering you're using RHEL, have you looked into possibly moving towards FreeIPA? I it has bindings to AD, but this would still require establishing a Windows domain. It's probably the easiest way to manage both efficiently, though.

(Disclaimer: have direct experience with neither solution, this is based on earlier research on the topic.)

You could implement freeIPA which incorporates Kerberos authentication. It might help with your situation. I have been using it in my lab environment and it is working quite well.

We do that with Ansible. /u/my_awesome_username answered it three times.
Our organization probably won't go that route, but doing identity management is getting very easy with FreeIPA http://www.freeipa.org . For example, when a linux client is configured to be a client to a freeIPA, the users can SSH into any other machine configured the same way, without any password, using only kerberos. Very easy to setup and to use, very valuable feature.
Their e-mail client will be configured anywhere, firefox will log in the web proxy using kerberos, CUPS will authenticate the user to the print server using kerberos. Once you log in, you are authenticated to every network resource. Ansible configures PAM to mount the user $home when he logs in, using the protocol-du-jour (changed 3 times since I'm here) NFS, CIFS, whatever. This is done using login scripts in the Windows workstations.
It also can change the log-out time, using the db import windows does.
Or it can configure the station to be monitored using nagios, which simply isn't done for windows.
The same tool takes over many tools from windows, it's much simpler.

You want to take a look at FreeIPA for handling the identity services AD would provide, and one of the many open source config management systems out there to take care of fleet mgmt.

http://www.freeipa.org/page/About

Probably not possible to preserve passwords, unless you had the "store in reversible format" or whatever it is checked. Check out their migrate page, you will be able to do it via LDAP http://www.freeipa.org/page/Howto/Migration

>we don't use any directory services ? is that bad ?

It's not necessarily "bad" but using one would only benefit you. Especially as you grow. Doing it now on 145 machines is going to be significantly easier than 500+ later.

I highly recommend FreeIPA.

Sounds like your clients are mostly mom and pop shops who need nothing more than simple file and print services, for which Windows SBS (or any simi-modern OS) is perfect...

>Don't get me started about the ease of use on AD for auth instead of whatever halfassed LDAP solutions exist.

If you're looking for a simple, easy to use central authentication solution that runs on Linux, may I suggest you check out FreeIAP

As for your other qualms, I would be careful in claiming that a tool is "halfassed" just because you don't quite know how to use it. Take Screen for instance, this utility is a rather dynamic tool which I and other admins use to not only preserve connectivity over choppy ISP connections, but also as a instruction tool where I can leverage the multiple tty connections as a screen sharing platform while I instruct Jr. Admins.

Disclaimer: I use realmd+sssd, so YMMV if you don't use realmd.

• You should not need to configure krb5.conf and smb.conf (for your stated goals at least).

• Credential caching should happen out of the box.

• In /etc/pam.d/common-session you want to append

  session required pam_mkhomedir.so

• In /etc/ssh/sshd_config you want

  AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

• You may need to tell SSSD what LDAP object to get the SSH keys from.

• You can optionally set up a FreeIPA server with AD trust integration

Generally my steps to configure things are:

• If using sssd+realmd

  kinit realm --verbose join domain.org --user-principal=<hostname>/ --unattended

• If using IPA client:

  ipa-client-install --mkhomedir --ssh-trust-dns --request-cert --hostname "$(hostname -s ).domain.org" --enable-dns-updates

In both cases you need to remember to configure /etc/pam.d/common-session. Depending on the distro you may need to configure the AuthorizedKeysCommand in sshd

Ouch. Well I know a lot about "boss says so."

If you were able to keep AD around I would point out that adding another DC to that site is basically a "next, next, finish" install. VMs are cheap (usually, not sure about your situation) and bringing a second one online and moving over fsmo roles would be a pretty simple stopgap.

Best of luck with the AD work and centralizing linux logins. If you're interested I hear good things about FreeIPA.

I found freeIPA very easy to set up for my home LAN. I'm using Fedora on the server end and a mix of Centos and Fedora clients. Debian didn't seem to be well supported, but Ubuntu was. I haven't tried it yet, but I was very pleased to see the freeIPA client listed for Ubuntu Mate on the Raspberry Pi.

I just migrated my NAS setup from freeNAS (on BSD) to ZFSonLinux running on a Centos box. I made a half hearted attempt to connect the freeNAS node to freeIPA, but setting the NAS up as freeIPA under Linux was easy. The ZFS drives written on freeNAS mounted right up on the Linux box. Maybe your use-case only requires authentication, but I think most LDAP setups will also want to make sure there is some shared network storage tied to the user identities managed by the LDAP server.

I was not as impressed by the state of documentation. There was some detailed but dated documentation on the Red Hat site. The more recent docs at http://www.freeipa.org seemed incomplete and uneven.

You can use any ldap server. If you already have a Windows AD infrastructure you can use that. If you don't, then I would look into using IPA from Red Hat.

Here are the docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html

Once you have the infrastructure setup, then you configure the applications. Here you will get plenty of information: http://www.freeipa.org/page/Web_App_Authentication

Usually most web applications support ldap, so that should not be a problem. Substitute rhel by centos 7 and the info applies if you go the free beer way.

Have you checked out FreeIPA? It's one of Red Hat's love project. It's a complex package of multiple softwares.

If it's too much, you can give the 389 Directory Server a spin, it's the one that's integrated into FreeIPA and it supports mutual trust with M$ AD.

Heh. I actually went through this exact problem a few days ago. Total pain in the ass. Unfortunately theres virtually zero info on how to fix it. These are the steps I went through, hopefully it helps. Note this is for EL6, not 7. So it might be slightly different for you. Highly suggest backing up before attempting any of this.

You need to make sure the following nss databases have the new certificates (intermediary and cert):

• /var/lib/pki-ca/alias
  
• /etc/httpd/alias
  
• /etc/dirsrv/slapd-PKI-IPA
  
• /etc/dirsrv/slapd-YOURREALMNAME
  

You also need to update "cn=CAcert,cn=ipa,cn=etc,dc=EXAMPLE,dc=COM" ldap entry with the new intermediary cert. "/etc/ipa/ca.crt" on the client needs to match the ldap entry to enrol new machines. Instructions can be found here under "Add LDAP": http://www.freeipa.org/page/Howto/CA_Certificate_Renewal

You also need to update /usr/share/ipa/html/ca.crt with the new intermediary cert.

Recommend restarting the ipa service once your done.

You probably want to centralize your user authentication at some point, FreeIPA.

Additionally, if you were to use [kerberized] automount shared home directories, you would only have to copy the key once.

Have some reading. While this is mostly about hooking it into AD, it does bring up a bunch of considerations.

FreeIPA may be up your alley?

There is no separate "FreeIPA documentation". What you call as "Red Hat IDM documentation" is the documentation for the project. The reason for that is in sorry fact of a lack of external (to Red Hat) documentation writers. Red Hat's tech writers were spending time on maintaining two books without any help from others and at some point it was unbearable. So the 'external' documentation was folded into Red Hat's official documentation.

You can read the back story here: http://www.freeipa.org/page/Upstream_User_Guide

Yes, it will work...but the article is about creating a Domain Controller, which FreeIPA does not support.

> FreeIPA without configured AD trust can provide only authentication service for Windows hosts (via standard Kerberos protocol). FreeIPA can't provide account database for Windows hosts in the same way as AD does. You have to create local Windows account and appropriate account mapping for each user if you select direct Windows<=>FreeIPA integration

Source: http://www.freeipa.org/page/Windows_authentication_against_FreeIPA

I think you should be able to do this using conditional forwarders in DNS.

Your FreeIPA DNS should be configured to forward name resolution requests for ad.corp.local to your AD name servers, and your AD DNS should forward requests for corp.local to your FreeIPA name servers.

Here's some info on how to setup both:

http://www.freeipa.org/page/Active_Directory_trust_setup#Conditional_DNS_forwarders

http://blogs.interfacett.com/windows-server-how-to-configure-a-conditional-forwarder-in-dns

Sure, you have to basically ignore the "freeipa" bit and just configure against the basedn. Probably the tricky part is getting a working bind dn.

See this page, especially the system account section. http://www.freeipa.org/page/HowTo/LDAP

I haven't played around with it yet but I've heard FreeIPA is supposed to be pretty easy to set up for shared authentication. I believe it's the basis for Red Hat Directory Server.

FreeIPA Main Page

You can use FreeIPA for central authentication, or for a hook into an existing AD infrastructure. It is a package of LDAP, Kerberos, sssd and a few other tools all seamlessly tied together in a nice install package with sensible defaults. Check it out:

http://www.freeipa.org/page/Main_Page

For CentOS/RHEL, I prefer to do this with Puppet+FreeIPA, and configure Puppet to use the FreeIPA CA for a single point of management for node identity.

Sorry: http://www.freeipa.org

>FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

It's been integrated in RHEL since 6.2 for no extra cost, and since we're a RHEL shop it made sense to use what we already had. I'm also able to use it to authenticate all of our AIX machines too.

> 1) What's a good path to learn it ? was thinking to go centos route with a linux bible book since its close to redhat... learn to run webserver, and network and users admins etc etc

The best way I've found is to give myself tasks and objectives (setup fileserver, webserver mailserver) and go for it. You can do a lot now with VM's that you couldn't 10-15years ago when you used to have to dumpster dive for spare parts. Try not to use a GUI on servers, you won't learn much that way. > 2) can both stack of technology (linux and windows) can do the same things ? I know there isn't active directory on the linux side or sharepoint & exchange etc

There are so many equivalent or better technologies it will make your head spin. Check out FreeIPA for identity/AD replacement.

> 3) is it true that most of the time a senior sysadmin will have to live with both technology on the job ? and are the distro who aren't redhat "weaker" or less in demand since there isn't pay support for big enterprise ? can you do all the same thing with centos as redhat does

CentOS is the exact same as Red Hat, it just has the Red Hat branding stripped out. This makes it an excellent learning platform. Less common in the enterprise you'll see Ubuntu/Debian though it's still pretty popular. Operating concepts are the same across all distributions so you aren't learning twice, only package management and some aspects of file and directory location differ really.

4) how deep a linux or windows server specialist need to learn about cisco and all hardware related routers, switches jupiter and all that etc without gaining a CCie ?

Don't get ahead of yourself, all that will come. Personally I learned just enough Network/SAN switching to automate all of it.

You must however have a strong grasp on the OSI layer model, subnetting, general connectivity basics no matter what operating system you are administrating to be totally effective.

Its not that hard to do ipa help and get a list of commands it supports. Then you could do ipa user help and it shows you the user commands. Or you know, google or reading the documentation on the FreeIPA site. I do have to admit though their site sucks for searching and finding things.

Yes fusiondirectory work very well with forgotten password (by mail).

For Freeipa I have tested it at home, and there is no 'forgotten password' button. And I have seen that: http://www.freeipa.org/page/Self-Service_Password_Reset

The documentation really tries to dissuade you from split-horizon, but I think it is ok: http://www.freeipa.org/page/DNS#DNS_views_.2F_split-horizon_DNS. For your purpose, it may be ok since you really only want to expose the email server A and MX records. These are the only docs worth taking a look at: http://www.zytrax.com/books/dns/ch6/index.html#split-view

Why is not joining the AD Domain an acceptable idea? Linux is perfectly capable of it.

Otherwise he should be utilizing a 1 way trust + FreeIPA to provide more unixy SSO options for his boxes.

There are also a f* ton of other options for this.

So you have server (HTTPS) certificate expired. If you have certmonger working, it should have rotated the certificate already but if it did not do it, you need to try to resubmit the cert request.

See http://www.freeipa.org/page/Certmonger for details on how to drive certmonger to manually renew a certificate.

P.S. If you want help on FreeIPA, it is more productive to use freeipa-users@ mailing list or #freeipa IRC channel on Freenode.

No more OD -- I've switched to FreeIPA (currently on CentOS6 w/ 3.0.0)

This is the "upstream" project that backs RedHat Directory Services, and can be used with Linux and OSX clients for LDAP, Kerberos auth and userinfo, DNS, as well as granular permissions control for node access and command permissions via sudo.

Although the CentOS / EL6 version is behind current release, I've had no issues with it for auth/info/permissions, DNS, or replication between sites with multiple replicas each. RHEL7 + IPA upgrades are on my todolist for this fall.

If your mac workstations are already configured with OD and "mobile" user accounts, it's pretty straightforward to swap IPA in place. You can setup a new IPA instance configured for your domain, setup your users/groups/hosts (can be scripted if you have lots), and then migrate machines to it. I wrote a mini howto with details on the OSX config, and a migration script I used to automate the process when migrating a bunch of workstations.

Red Hat Identity Management which a portion is based off of FreeIPA can provide services similar to AD.

I would still continue to run AD, in a minimal configuration, to let AD do what it is good at, and use the Linux-based services to augment AD and provide additional Linux-centric services (like netgroups, home dirs, centrally-managed sudoers). It's difficult (for me) to imagine an environment devoid of Microsoft and I'm OK with that ;-)

One of the sessions at OLF was about FreeIPA and integrating Samba and Active Directory. He gave a nice overview. I've been doing research on it since. CentOS comes with IPA. Mostly though, it's required to actually dig through documentation to make heads or tails of anything. This diagram puts things in perspective quite nicely I think. I'm hoping to get a solid setup going soon. In the mean-time there's also this video, it's hard to understand at times but it makes a few things more clear. Basically though, IPA takes many of the tools necessary to communicate between AD and a Linux server/client and sticks them in a more integrated package.

FreeIPA will work fine.

As for application user management, look at http://www.freeipa.org/page/Web_App_Authentication for the recommended way of securely integrating web apps with FreeIPA. Not all modules for it are in Debian (if any) but they are simple and easy to build.

If your network is primarily linux/osx/unix clients and servers, check out FreeIPA.

It can be used to handle user/group/node identity, kerberos, SSL PKI, DNS, and more. If you need to spend $$, FreeIPA is the open-source upstream project for what is RedHat Directory Server

Because I saw this and thought "free beer" + Puppet ... ?

Here's what FreeIPA is from freeipa.org:

> FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

> FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

> FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

> Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.

> Security aspects related to access control, delegation of administration tasks and other network administration tasks can be fully centralized and managed via the Web UI or the ipa Command Line tool.

I would look at read to use ldap login services like freeipa. They also work with AD. http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory.html

There's a number of ways to accomplish this behavior. One of them is by using a different shell such as rssh.
You can also control what services a user is able to log on with using an idm like FreeIPA.
And last, sshd can force SFTP connection by using user matching paired with ForceCommand. :)

I would definitely be looking at RHEL7 or the upcoming CentOS 7. You want something stable with security support. I'd suggest Ubuntu 14.04 LTS, save for one thing... Red Hat's FreeIPA and related SSSD project are very nice. I would check to see if you can at least get the SSSD client on whatever distro you choose, as it's going to make things so much nicer. Especially if you choose to go with 2-factor devices, be that Yubikeys or CCID smart cards.

We call them files. If you want the enterprise approach why not use puppet? If you're looking for group policies then you probably want to look at FreeIPA. If you want to "push down" you can use ssh, rsync, ldap.

The fact that there are many ways to do so is a strength. The 1 M$ Way is restrictive and when it doesn't work, you spend 4 days rebuilding a server while everyone yells at you that they can't get their work done.

I've never used freeIPA server but as far as I know it's freely available on CentOS and Fedora (maybe on other distros too):

• What are the pros and cons of freeIPA?
• About freeIPA

A closely related project which seems interesting for deployments is Fleet Commander

For LDAP, yes you can use it for shared logins. Check out OpenLDAP - https://www.howtoforge.com/linux_ldap_authentication

Alternatively, I believe FreeIPA is the new hotness - look at http://www.freeipa.org/page/Quick_Start_Guide if you want a fun weekend.

I haven't done this for a while, but I know it's not that hard to set up if you are used to Linux. You will need your LDAP server running 24/7 + working DNS for this to work. (DNS is really important for anything you do on network.. there's a joke - "It's always DNS", which isn't really a joke because when you have weird shit happening, the answer is always DNS not working)

https://duckduckgo.com/?q=its+always+dns&amp;t=ffab&amp;ia=web

Your ISP's domain is showing up because your DHCP server is handing it out as a search domain.

If you want to remove it, change the DNS servers on your router to point to Google DNS, and also check the DHCP options to remove the search domain. That should fix it. You can google "your ISP + remove DNS search domain" to see if someone has a guide.

You've been told on IRC that what you think you are doing is not what actually needs to be done. You ignored that, which is OK, you want to learn yourself. Active Directory is more than just a collection of LDAP, DNS, and Kerberos. Creating conditional forwarders doesn't change Active Directory opinion on which realm those DNS domains belong to and which KDCs should be used to process incoming AS/TGS requests.

Since in reality what you needed is to place Linux servers into a DNS domain that AD considers part of its Kerberos realm, start with http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain to learn what is happening and how to configure things.

> I doubt that would be practical in bigger governmental/corporate networks. I'm not sure how well Linux works with Active Directory, or what you'd replace Active Directory with if you wanted to ditch that too. It's hard to replace all the stuff MS does with AD+windows+O365. Possible, but it would cost a lot to implement and would probably take more effort to keep running.

You're kidding, right? Linux, being a clone of Unix, was designed to operate in a domain with centralized administration! Not only does Linux definitely support the technologies that make up Active Directory (LDAP, Kerberos, etc.), it supported them before Microsoft did! The main difference is that, in keeping with the Unix philosophy, the various functions are accomplished by separate programs instead of glommed together and branded the way Microsoft does it. (Although if you want to do things the Microsoft way on Linux, that can be arranged too, especially if you use Red Hat.)

> These things usually get decided on two things: how much does it cost, and what do we get for that money. When the answer to that is that it costs a lot and gets you very little, people making the decisions are less than enthusiastic about this.

Okay, now I'm starting to think you're a troll or a shill. While the cost of the transition itself could be significant (due to the need to retrain or replace the Windows IT folks with ones competent to admin Linux), the long-term cost should be cheaper because you don't have Microsoft trying to fuck you over all the time (not just with licensing costs, but also with gratuitous UI changes that generate support calls from users, security problems, deprecated technologies, the ever-present threat of an expensive BSA audit if you didn't dot all your i's and cross all your t's, etc.).

I've recently been going through this trying to get it to work via FreeIPA via radius.

The radius -> FreeIPA works fine but i'm having issues with the way it handles the password via ldap. Any experience?

if i put the user directly into radius locally (rather than lookup via ldap in freeipa) it works fine.

It's specifically with how freeradius does the lookup inside ldap (useful for AD as well..)

You may have a look at http://www.freeipa.org/ and Samba. For GPO like functionality you have to remember that everything is stored in a configuration file and can be altered by scripts. For folder redirection you can check out how mounting works.

Unfortunately I have no experience myself. Maybe someone else could provide you with scripts and further ideas.

Yeah. Red Hat Enterprise Linux support covers everything that's included in the OS, which includes Red Hat Identity Management (FreeIPA), MariaDB, PostgreSQL, Apache, Python, PHP, Perl, postfix/sendmail, etc.

There's not a lot of reasons to get anything else with the RHEL platform.

FreeIPA doesn't support it the last time I looked at it. Windows Users can authenticate to Linux, but Linux users cannot authenticate against windows. I followed their guide for setting up a trust a couple months ago, and at that time it was still unsupported.

Is this what you followed? http://www.freeipa.org/page/Active_Directory_trust_setup

When I set this up, it would not work.

Hello,

I'm using this template to ship rsyslog to logstash via JSON: http://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana

After some tinkering i's thinned to:

template(name="ls_json" type="list" option.json="on") { constant(value="{") constant(value="\"@timestamp\":\"") property(name="timegenerated" dateFormat="rfc3339") constant(value="\",\"@version\":\"1") constant(value="\",\"message\":\"") property(name="msg") constant(value="\",\"host\":\"") property(name="fromhost") constant(value="\",\"host_ip\":\"") property(name="fromhost-ip") #constant(value="\",\"logsource\":\"") property(name="fromhost") constant(value="\",\"severity_label\":\"") property(name="syslogseverity-text") #constant(value="\",\"severity\":\"") property(name="syslogseverity") constant(value="\",\"facility_label\":\"") property(name="syslogfacility-text") #constant(value="\",\"facility\":\"") property(name="syslogfacility") constant(value="\",\"program\":\"") property(name="programname") constant(value="\",\"pid\":\"") property(name="procid") constant(value="\",\"syslogtag\":\"") property(name="syslogtag") constant(value="\"}\n") } . @@logstash01.example.com:5500;ls_json

Using any HOTP or TOTP PAM plugin. You might like OAuth Toolkit and here's one person's experience. If you're on Red Hat or Fedora then FreeIPA is a comprehensive configurator suitable for large deployments.

> The docs clearly state if you want to use integrated dns you need to delegate a primary domain to it.

"integrated DNS" is what I was referring to as "embedded DNS." You're free to use DNS external to FreeIPA if that's the situation you're in.:

>> When using external name server, identity management functionality or trusts will be possible, however the configuration will be much more difficult and error prone. Full list of benefits of using the integrated DNS service can be found in the DNS article.

They wouldn't have designed FreeIPA to only work with its own DNS since the DNS being outside the directory admin's control isn't an unusual situation. AD doesn't work that way either and for the same reasons. Plenty of places use something like bluecat or Infoblox to manage DNS since a lot of times the networking team (separate from the OS team) will "own" the organization's DNS and not necessarily care if something the OS team uses doesn't work because of something they did.

It's just that you probably want the embedded DNS in each situation since everything ties together a lot more nicely and works together.

Nitpicking: it is not a one-way trust. Currently FreeIPA requires two-way trust to AD to be functional. One-way trust work is what I'm implementing for FreeIPA 4.2 here: http://www.freeipa.org/page/V4/One-way_trust

Check out FreeIPA. It is the go to for open source identity management. The suite includes ldap, krb5, ntp, DNS, dogtag certificate authority. Why not run those services separate? Because there needs to be glue to get them all to interact with each other w/o a mass amount of customization and/or recompile and none of them have api access. You could write your own api but it would suck compared to FreeIPA.

Http://www.freeipa.org

The suite can overwhelming. Start small. Break down the major components into digestible steps.

Avoid using raw OpenSSL as a certificate authority. I absolutely hate our way of managing certificates manually when Puppet should be running an Exec against api to pull a certificate. We have 5000 certs that we have to deal with.

The post links to a Git commit that shows "FreeIPA is being released". I linked to this Git commit, because there is no high-level article stating "FreeIPA has been released for Debian".

As for "What is FreeIPA?". Website link: http://www.freeipa.org/

FreeIPA is the ActiveDirectory (the authentication and authorisation parts) of the Linux world. You use it to centrally manage user accounts, and user groups details. These details can be used for authentication/authorisation purposes for your network computers.

Anything with LDAP and Kerberos clients can authenticate with either Samba AD DC or FreeIPA that includes Windows. If the server LDAP server has the correct schema, theoretically everything one does can be done by the not factoring in other protocols that may be used.

The main difference the difficulty involved in configuring it. That is why a review would be greatly appreciated. Since they are both big complicated systems they are likely to have bugs. A review is likely to find inter-compatibility bugs and reveal work around.

What Distro are you running your Samba AD DC on?

The easiest way to get this going is to install something like FreeIPA. This combines LDAP+Kerberos into a nice package. http://www.freeipa.org/

To make it even easier, I have a puppet module which can automate this. https://github.com/purpleidea/puppet-ipa

HTH

Sorry, I try not to touch Windows desktop so I cannot answer that with any authority.

In theory you should be able to hook Windows clients up to something like FreeIPA, as long as you used the correct schema. AD is just LDAP/Kerberos as far as authentication is concerned.

Try this

OpenLDAP and AD's sync mecanisms are not compatible. What you are searching is either :

1. a 3rd party service that can keep two different LDAP servers in sync.
   
2. a directory server that can act as a slave for an AD server.
   

For case one you have LSC, which also be used to filter what you replicate, or transform certain data. It runs as a cron job.
http://lsc-project.org/wiki/

For the second case you have the 389 Directory Server : http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Sync_With_Active_Directory

And a special case of using 389 is to use the free ipa :
http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory.html (though might be overkill for what you need).

If you want to just "read" the passwords, LSC is the easyest way to go.
If you want to be able to change the passwords, or other data, FreeIPA can do that (with some limitation though, you cannot add users in freeipa, users must already exist and be pulled from AD).

Of course a DMZed AD server can do what you want, but is not linux based :). And afaik trust relationship in Samba4 are not quite fully implemented yet. Last time I checked Samba could be trusted, but could not trust AD. ( And by "checked" I mean read on samba mail list . )