[Freeipa-devel] freeIPA and NIS

Ahmed Kamal email.ahmedkamal at googlemail.com
Tue Aug 12 11:55:45 UTC 2008 

I'm not so sure the final samba4 will still ship with their own kdc, I think
I heard otherwise. But this setup of yours if surely interesting! It's great
that you're finding AFS of production quality
Regards

On Tue, Aug 12, 2008 at 2:50 PM, Angel Marin <anmar at anmar.eu.org> wrote:

> We sync freeipa groups with openafs groups and memberships (simple script)
> so permissions are managed as a regular openafs thing. openafs client honors
> those perms just fine based on the logged in principal. So 'local' users are
> only used for the workstation login, no need to use windows groups for
> anything :)
>
> They still can't create local shared folders in the regular way, but if
> everything is in the afs cell, every user can have folders with access
> granted to whoever they (or you) want. It's just a training problem :)
>
> In the broad sense it feel like a more convoluted setup, but it's order of
> magnitude nicer/easier to have linux home dirs on the same file servers as
> the windows ones while everyone is authenticating to a single freeipa realm
> :) Having the flexibility & network caching performance of openafs gives
> great value for remote & home offices setups too; but YMMV :)
>
> Considering Samba4 ships with it's own ldap-server implementation and
> doesn't work with a regular MIT kdc AFAIK, I'm not sure it would be cleaner
> in any way ;)
>
> Ahmed Kamal wrote:
>
>> I played with pGina before, it was great, but the only limitation I faced
>> was that Windows does not "see" other users and groups. Logged in users are
>> created to be "local" users, which means one can't created shared folders,
>> and apply permissions and such. Is this resolved by using open-afs (I've
>> never touched that) ? If so, that would really rock! I'd even prefer that to
>> a samba4 solution!
>>
>> On Tue, Aug 12, 2008 at 1:40 PM, Christian Horn <chorn at fluxcoil.net<mailto:
>> chorn at fluxcoil.net>> wrote:
>>
>>    On Tue, Aug 12, 2008 at 11:43:14AM +0200, Angel Marin wrote:
>>     > (sorry for the off-topic, but it might be of interest for people
>>     > planning on moving to freeipa)
>>
>>    Seeing what you implemented i guess it fits to @freeipa :)
>>
>>
>>     > We do auth through a home made pGina plugin that does kerberos
>>    auth and
>>     > ensures openafs (roaming profiles and user dirs are in the afs
>>    cell) is
>>     > ready; looking up user info in ldap, ensuring clock is in sync and
>>     > enabling password change are in the works. Finally kfw and openafs
>>     > integrated logon plugin takes care of actual tickets for user
>>    session so
>>     > there's SSO*.
>>     >
>>     > We've had to patch pGina too as stock one was crashing on us.
>>    Once we've
>>     > been able to polish all the quirks (currently sometimes users are
>>     > randomly denied access to afs cell on first login) we'll release
>> code
>>     > and docs somewhere :)
>>
>>    Great.
>>
>>
>>     > * Biggest issue with SSO is that it'll only work with apps capable
>> of
>>     > talking to kfw (firefox, thunderbird, openafs-client, ...), but
>>    that's
>>     > not a problem around here. In theory with Vista clients kfw is
>>    capable
>>     > of writing to system ccache (enabling SSO on IE and the like) but we
>>     > haven't tried it here.
>>
>>    I did look into running an AD-domain and having it crosstrusting the
>>    kerberosrealm, corporations do not lose the microsoft-support that way
>>    (what if $stuff happens!) and authentication also from IE works, see
>>    http://fluxcoil.net/files/sso_crossrealm_kerberos.htm .
>>    Having no AD server around like in your solution ofcourse feels
>>    much more convienient.
>>    Samba4 should be able to play that role in future.
>>
>>
>>    Christian
>>
>>    _______________________________________________
>>    Freeipa-devel mailing list
>>    Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>>    https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>>
>
> --
> Angel Marin
> http://anmar.eu.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080812/95f36afe/attachment.htm>

More information about the Freeipa-devel mailing list