[Freeipa-users] Windows Kerberos auth to IPA
Simo Sorce
ssorce at redhat.com
Fri Oct 10 13:59:00 UTC 2008
On Fri, 2008-10-10 at 10:26 +1000, Johan Venter wrote:
> OK, as I understand ksetup I can map certain Kerberos users to local
> accounts on the Windows machine - what I would like achieve is some
> dynamic way to map a whole group to the local Administrator account as
> that would satisfy my current objective (that is, giving system
> administrators single sign on to Windows machines with the same username
> and password they use on the Linux servers) without having to map each
> user individually (as the members of the sysadmin group could change
> regularly).
>
> I realise that a 'group' is really an LDAP construct and not a Kerberos
> one, but I'm truly hoping there is a way to do this.
Unfortunately Windows LSASS.EXE is able to use external user/group
sources only if attached to a windows domain. MS do not provide means to
easily plug in any other provider.
> Alternatively, am I going about this whole thing wrong? Is there a
> better way to achieve single sign-on through IPA infrastructure on
> Windows? Perhaps using Samba as a domain controller and authenticating
> through it?
Samba can be used but samba3 does provide NT4 level domains only which
means no kerberos.
> It seems crazy to me that if I had an AD server I could happily get
> Windows to log in users that do not exist on the local machine with
> certain privileges, why can I not seem to achieve the same thing without AD?
This is a question only MS can reply in full, although we are making
progress with Samba4 in providing an AD like domain controller.
Simo.
More information about the Freeipa-users
mailing list