[Freeipa-users] Windows Kerberos auth to IPA

[Simo Sorce]

On Fri, 2008-10-10 at 10:26 +1000, Johan Venter wrote:

> OK, as I understand ksetup I can map certain Kerberos users to local 
> accounts on the Windows machine - what I would like achieve is some 
> dynamic way to map a whole group to the local Administrator account as 
> that would satisfy my current objective (that is, giving system 
> administrators single sign on to Windows machines with the same username 
> and password they use on the Linux servers) without having to map each 
> user individually (as the members of the sysadmin group could change 
> regularly).
> 
> I realise that a 'group' is really an LDAP construct and not a Kerberos 
> one, but I'm truly hoping there is a way to do this.

Unfortunately Windows LSASS.EXE is able to use external user/group
sources only if attached to a windows domain. MS do not provide means to
easily plug in any other provider.

> Alternatively, am I going about this whole thing wrong? Is there a 
> better way to achieve single sign-on through IPA infrastructure on 
> Windows? Perhaps using Samba as a domain controller and authenticating 
> through it?

Samba can be used but samba3 does provide NT4 level domains only which
means no kerberos.

> It seems crazy to me that if I had an AD server I could happily get 
> Windows to log in users that do not exist on the local machine with 
> certain privileges, why can I not seem to achieve the same thing without AD?

This is a question only MS can reply in full, although we are making
progress with Samba4 in providing an AD like domain controller.

Simo.