[Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
Jakub Hrozek
jhrozek at redhat.com
Thu Apr 4 09:13:08 UTC 2013
On Wed, Apr 03, 2013 at 06:25:54PM -0400, Dmitri Pal wrote:
> On 04/02/2013 01:57 AM, Pekka.Panula at sofor.fi wrote:
> > > From: Dmitri Pal <dpal at redhat.com>
> > > >> I want also my AD users (from IPA trust) to login inside thru ssh
> > but
> > > >> afaik this seems to have some older SSSD version and same
> > configuration
> > > >> options that goes ok with CentOS 6 ipa-client wont work with
> > CentOS 5.
> > > >>
> > > >> So what should i modify that i can login to my CentOS 5 machine
> > that i can
> > > >> to login AD trust users from IPA? Is there newer SSSD daemon
> > available for
> > > >> centos 5?
> > > >>
> > > > No, it is not and it would be quite hard to build it, I think. You'd
> > > > need pretty recent version of Kerberos to support the PAC
> > responder that
> > > > handles users coming via trusts for instance.
> > >
> > > Yes this is quite a problem with the current solution.
> >
> > Is there any guides for rhel 5.x/centos 5.x when using IPA and if that
> > same
> > system needs also AD users logins enabled, should we just enable some
> > PAM module
> > and all works if SSSD/IPA is also used?
>
> You would need to backport 1.9 to rhel 5/centos 5
> AFAIR you can still build those for RHEL5 (I mean 1.9 can still be built
> on RHEL5) but you also need to build all the dependencies (samba,
> kerberos etc. and those would be quite a challenge).
>
> Ping jhrozek on #sssd on free node if you need more details, but it is a
> big endeavor so be prepared for a tough journey.
>
You can build the "core SSSD" with no problems and you'll get the fast
cache, AD provider and other improvements but the PAC responder needed
for trusts needs the latest Kerberos (1.10+) and unless I'm wrong also
samba4. You'd have to compile these yourself.
> >
> > > But we are looking for some ways to mitigate that.
> > > Question for you about the older systems:
> > >
> > > What would you prefer: those systems pointing to IPA and IPA having a
> > > way to serve account and authentication or point them directly to AD?
> > > Do you require kerberos authentication and SSO from those machines or
> > > simple LDAP authentication is OK?
> > > Do you have a requirement for all the authentications to actually happen
> > > in AD for audit purposes or they can happen in IPA when users come from
> > > the old clients and in AD with trusts when users access newer clients?
> > >
> > > Thanks for the input!
> > >
> > > Dmitri
> >
> > For me, would be good if all comes from (thru) IPA, but thats not
> > an requirement for me.
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list