[Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
Pekka.Panula at sofor.fi
Pekka.Panula at sofor.fi
Tue Apr 2 05:57:03 UTC 2013
> From: Dmitri Pal <dpal at redhat.com>
> >> I want also my AD users (from IPA trust) to login inside thru ssh but
> >> afaik this seems to have some older SSSD version and same
configuration
> >> options that goes ok with CentOS 6 ipa-client wont work with CentOS
5.
> >>
> >> So what should i modify that i can login to my CentOS 5 machine that
i can
> >> to login AD trust users from IPA? Is there newer SSSD daemon
available for
> >> centos 5?
> >>
> > No, it is not and it would be quite hard to build it, I think. You'd
> > need pretty recent version of Kerberos to support the PAC responder
that
> > handles users coming via trusts for instance.
>
> Yes this is quite a problem with the current solution.
Is there any guides for rhel 5.x/centos 5.x when using IPA and if that
same
system needs also AD users logins enabled, should we just enable some PAM
module
and all works if SSSD/IPA is also used?
> But we are looking for some ways to mitigate that.
> Question for you about the older systems:
>
> What would you prefer: those systems pointing to IPA and IPA having a
> way to serve account and authentication or point them directly to AD?
> Do you require kerberos authentication and SSO from those machines or
> simple LDAP authentication is OK?
> Do you have a requirement for all the authentications to actually happen
> in AD for audit purposes or they can happen in IPA when users come from
> the old clients and in AD with trusts when users access newer clients?
>
> Thanks for the input!
>
> Dmitri
For me, would be good if all comes from (thru) IPA, but thats not
an requirement for me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130402/d9418d85/attachment.htm>
More information about the Freeipa-users
mailing list