[Freeipa-users] New User - Possible to point authentication to external KDC

[Trey Dockendorf]

I just begun evaluating FreeIPA, after having successfully used 389ds
for a few months.  The move from 389 ds to FreeIPA is to leverage the
authorization for host logins and also for simpler management.  The
University I am deploying at has a campus wide KDC and for security
and audit reasons I prefer to point my authentication services at that
Kerberos realm rather than storing passwords.  I have successfully
implemented this using the 389 ds pam pass through authentication
plug-in , but have not found any documentation on how to do this same
thing with FreeIPA.

The complication with doing this is I do not have even a 1 way trust
with the KDC.  Getting a trust (even 1-way) is very difficult if not
impossible, but so far I've been able to make PAM work with that
situation both using local authentication and now 389 ds, both through
PAM.  Is it possible to have FreeIPA query a remote KDC while still
being able to fallback to the local password store (ie external users
not in campus domain).

Thanks
- Trey