Large network of Windows machines without AD - GO!

notverypunny

@scottalanmiller said in Large network of Windows machines without AD - GO!:

@notverypunny said in Large network of Windows machines without AD - GO!:

Would something like Zentyal be appropriate?

Just a package of Samba 4 which is just a third party AD. So this is just another way of saying to use Samba, which is another way of saying "keep AD."

If the question is "how can I more affordably do AD", then Zentyal is a great AD distro. But if the question is "how do I ditch AD", Zentyal isn't ditching it at all.

Fair enough, I read "without AD" and my mind went to "without M$"

1337

Would this be an option if you wanted central authentication in Windows without any AD or AD clone?

https://www.freeipa.org/page/Windows_authentication_against_FreeIPA

The way I understand it you could use this setup to authenticate your local account on Windows.

scottalanmiller

@Pete-S said in Large network of Windows machines without AD - GO!:

Would this be an option if you wanted central authentication in Windows without any AD or AD clone?

https://www.freeipa.org/page/Windows_authentication_against_FreeIPA

The way I understand it you could use this setup to authenticate your local account on Windows.

Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.

1337

@scottalanmiller said in Large network of Windows machines without AD - GO!:

@Pete-S said in Large network of Windows machines without AD - GO!:

Would this be an option if you wanted central authentication in Windows without any AD or AD clone?

https://www.freeipa.org/page/Windows_authentication_against_FreeIPA

The way I understand it you could use this setup to authenticate your local account on Windows.

Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.

But the point wasn't the product. The point was that it looks like you can authenticate local users on Windows against anything that supports Kerberos. So you can still use central authentication for your Windows clients (that can be be shared with linux, web apps and whatever) without using AD or anything in the entire windows ecosystem. I didn't know that was even possible but maybe it is old news for you guys working with this stuff everyday.

scottalanmiller

@Pete-S said in Large network of Windows machines without AD - GO!:

@scottalanmiller said in Large network of Windows machines without AD - GO!:

@Pete-S said in Large network of Windows machines without AD - GO!:

Would this be an option if you wanted central authentication in Windows without any AD or AD clone?

https://www.freeipa.org/page/Windows_authentication_against_FreeIPA

The way I understand it you could use this setup to authenticate your local account on Windows.

Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.

But the point wasn't the product. The point was that it looks like you can authenticate local users on Windows against anything that supports Kerberos. So you can still use central authentication for your Windows clients (that can be be shared with linux, web apps and whatever) without using AD or anything in the entire windows ecosystem. I didn't know that was even possible but maybe it is old news for you guys working with this stuff everyday.

You can do full AD without anything in the Windows ecosystem. You can do Linux AD server side, and Linux clients and never have Windows code at all and be all on AD. You don't, normally, as it is too heavy to bother with if you don't have Windows somewhere. But it works. AD is just a heavy version of LDAP that is classic to UNIX.

FreeIPA is expected to be used either in an all Linux world, or in a hybrid world with AD handling the Windows side of things (but they recommend Linux based AD.)

1337

@scottalanmiller said in Large network of Windows machines without AD - GO!:

@Pete-S said in Large network of Windows machines without AD - GO!:

@scottalanmiller said in Large network of Windows machines without AD - GO!:

@Pete-S said in Large network of Windows machines without AD - GO!:

Would this be an option if you wanted central authentication in Windows without any AD or AD clone?

https://www.freeipa.org/page/Windows_authentication_against_FreeIPA

The way I understand it you could use this setup to authenticate your local account on Windows.

Authenticate, yes. But FreeIPA isn't meant to do that, doesn't work well for it, and they themselves say that you should use Samba instead as it is meant for that.

But the point wasn't the product. The point was that it looks like you can authenticate local users on Windows against anything that supports Kerberos. So you can still use central authentication for your Windows clients (that can be be shared with linux, web apps and whatever) without using AD or anything in the entire windows ecosystem. I didn't know that was even possible but maybe it is old news for you guys working with this stuff everyday.

You can do full AD without anything in the Windows ecosystem. You can do Linux AD server side, and Linux clients and never have Windows code at all and be all on AD. You don't, normally, as it is too heavy to bother with if you don't have Windows somewhere. But it works. AD is just a heavy version of LDAP that is classic to UNIX.

FreeIPA is expected to be used either in an all Linux world, or in a hybrid world with AD handling the Windows side of things (but they recommend Linux based AD.)

OK, thanks.

krisleslie

Dashrender

@krisleslie said in Large network of Windows machines without AD - GO!:

eh?