[Freeipa-devel] freeIPA and NIS
Christian Horn
chorn at fluxcoil.net
Tue Aug 12 10:40:51 UTC 2008
On Tue, Aug 12, 2008 at 11:43:14AM +0200, Angel Marin wrote:
> (sorry for the off-topic, but it might be of interest for people
> planning on moving to freeipa)
Seeing what you implemented i guess it fits to @freeipa :)
> We do auth through a home made pGina plugin that does kerberos auth and
> ensures openafs (roaming profiles and user dirs are in the afs cell) is
> ready; looking up user info in ldap, ensuring clock is in sync and
> enabling password change are in the works. Finally kfw and openafs
> integrated logon plugin takes care of actual tickets for user session so
> there's SSO*.
>
> We've had to patch pGina too as stock one was crashing on us. Once we've
> been able to polish all the quirks (currently sometimes users are
> randomly denied access to afs cell on first login) we'll release code
> and docs somewhere :)
Great.
> * Biggest issue with SSO is that it'll only work with apps capable of
> talking to kfw (firefox, thunderbird, openafs-client, ...), but that's
> not a problem around here. In theory with Vista clients kfw is capable
> of writing to system ccache (enabling SSO on IE and the like) but we
> haven't tried it here.
I did look into running an AD-domain and having it crosstrusting the
kerberosrealm, corporations do not lose the microsoft-support that way
(what if $stuff happens!) and authentication also from IE works, see
http://fluxcoil.net/files/sso_crossrealm_kerberos.htm .
Having no AD server around like in your solution ofcourse feels
much more convienient.
Samba4 should be able to play that role in future.
Christian
More information about the Freeipa-devel
mailing list