Is Samba 4 a good alternative to FreeIPA?

MountainX asked:

Our goal is to set up one file server / print server on a small LAN. To solve file permissions issues and access issues we have encountered, we believe a type of LDAP solution should be part of this. Two of the solutions we are considering are:

  1. Samba 4, which (I believe) includes network file sharing, directory management and printer sharing functions.

  2. NFS + Kerberos + Avahi + CUPS most likely built on a FreeIPA server.

First, are we understanding the alternatives correctly?

Is Samba 4 a good alternative to option 2 (FreeIPA with NFS v4, Kerberos, CUPS, Avahai, etc.) in a local area network consisting of almost entirely Arch Linux clients?

We are looking for a very simple solution for authentication, secure file sharing and printer sharing. Plain Kerberos + LDAP + NFSv4 (without FreeIPA) was recommended, but this seems too complex for us. Hence, the reason we are considering FreeIPA or Samba.

NIS may also be an option (along with NFS, etc.). But NIS is old and not very secure. However, it is simple. Samba 4 also seems simple and it is more secure and more modern.

Is Samba 4 feature competitive (in terms of network file system security and authentication) with a system built around FreeIPA, NFS, LDAP, Kerberos?

The clients will be almost entirely Arch Linux. The server could be Arch if we run Samba 4 or NIS. (We prefer Arch everywhere.) If we use FreeIPA the server would have to be Ubuntu, Red Hat, Fedora or CentOS.

Our company is open to purchasing Red Hat with premium support if we go with FreeIPA. Nobody here knows anything about Red Hat. However, would it be easier to get the Arch Linux clients to work with Samba 4 as the directory service?

So there are two questions:

  1. Is Samba 4 a good alternative to FreeIPA+NFS+LDAP+Kerberos overall?

  2. With all Arch Linux clients, which alternative (FreeIPA-based or Samba 4-based) will have best compatibility and the least headaches?

My answer:

First, let me say that whether you choose Samba4 or FreeIPA, you’re setting up a lot of moving parts for “one” file/print server.

You could go with Samba4 as a file/print server, and not a domain controller, and have it keep a local list of users to authenticate against. That’s only going to require one VM and a bunch of storage, but it means you lose things like self-service password resets and the like that you would get with an actual domain.

FreeIPA is a full featured identity, policy and audit solution. It doesn’t by itself serve files or printers, but it enables file and print services to reside on the domain, authenticate to it, etc. It also manages all the domain joined computers, in your case a bunch of machines running Arch Linux. The complete feature list is extensive, and if you want some or all of those features in addition to file/print services, then FreeIPA is the way to go.

If you go this route, I’d recommend Fedora or RHEL/CentOS as the server base for FreeIPA. It is developed on these platforms and Debian/Ubuntu are a bit secondary. The Red Hat documentation should suffice to get you up and running.

In particular, if you’re on Arch because you need very recent software in your environment, you may be happier with Fedora as a server, which tries to do the same. You’ll find that many things are similar between them, e.g. anything to do with systemd, and the differences aren’t too difficult to work out.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.