[Freeipa-users] Migration from FreeIPA 1.2.1 to 2
Christian Horn
chorn at fluxcoil.net
Thu May 26 03:20:57 UTC 2011
On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote:
> On 05/25/2011 01:21 PM, Steven Jones wrote:
> >
> > As far as I am aware Windows clients can only authenticate against ADs. So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA.
> No Windows clients can auth against kerberos realms directly and so
> should be able to auth again an IPA server as well. It is slightly
> complicated and difficult to manage but it can be done.
True, but does not help with the clients fetching ldap data.
I think the cross realm setup is a good idea if one wants to run Windows
clients and use SSO together with kerberized services on linux/unix:
- the windows clients stay hooked up to an AD, so in a supported
environment
- from following mailinglists I had the impression Microsoft seems to
support the scenario
- the linux/unix servers can use the IPA and benefit from proper de-
bugging tools, having their server OpenSourced etc.
Christian
More information about the Freeipa-users
mailing list