[Novalug] Understanding POSIX v. Windows -- WAS: Systemd example

Bryan J Smith b.j.smith@ieee.org
Fri Jul 17 04:15:39 EDT 2015


Bryan J Smith wrote:
> It's _not_ an AD killer any more than AD is an LDAP killer.

Understand Microsoft _also_ sells LDAP ...
It's called Lightweight Directory Services (LDS).

AD is a "canned" solution for Windows systems and attributes.
IPA is a "canned" solution for POSIX systems and attributes.

There will still be cases for full LDAP in _both_ Windows and POSIX
environments, especially for .NET (LDS, ADFS, etc... are designed
around .NET, IWA, etc...) and Java (various options, not just
389/RHDS).

But for typical platform identity and related services, AD isn't
designed to service POSIX systems any more than IPA is designed to
service Windows systems.  AD can store only very basic POSIX, and
IPAv1 made the (short-lived) mistake of trying to favor NTuser schema
instead of IETF, and that is no longer the case as of IPAv2+.

IPAv3 can use AD Forest trusts, and provide certain solutions so AD
Forests thinks it's just another AD Forest.  That's how AD itself acts
when its schema doesn't match, you have to use 2 different Forests.
I.e., IPA just leverages the solution Windows created for itself, when
it's own schema doesn't match -- hence what happens for IPA too
(because it's schema will not match any AD).

So the question isn't so much what is an "anything killer."

It's about what works for POSIX natively, but _also_ interoperates
with AD.  And it does in a way that Windows systems and solutions
don't have to understand POSIX, and vice-versa.  Because that's the
problem -- they don't, at most, just a few things.

Windows systems don't understand POSIX.  Samba is unable to emulate
every service and schema out there that has been released for Windows
Server.  Furthermore, running things like Samba Winbindd enumeration,
SSSD emumeration, and the "free" versions of those add-ons, etc...
aren't often security compliant, because they are not centrally stored
attributes, but "enumerated" and "assumed" ones on the local client.

Hence the POSIX store for POSIX systems.
And the Windows store for Windows systems.
And the former knows how to work together with the latter ... separate
with an AD Forest trust.


-- bjs



More information about the Novalug mailing list