[Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?

[Dmitri Pal]

On 03/28/2013 08:27 AM, Jakub Hrozek wrote:
> On Thu, Mar 28, 2013 at 01:14:34PM +0200, Pekka.Panula at sofor.fi wrote:
>> Hi all again
>>
>> I have lots of CentOS 5.x servers and i tested one to install ipa-client 
>> and managed to join it to my ipa domain. 
>>
>> I want also my AD users (from IPA trust) to login inside thru ssh but 
>> afaik this seems to have some older SSSD version and same configuration 
>> options that goes ok with CentOS 6 ipa-client wont work with CentOS 5. 
>>
>> So what should i modify that i can login to my CentOS 5 machine that i can 
>> to login AD trust users from IPA? Is there newer SSSD daemon available for 
>> centos 5?
>>
> No, it is not and it would be quite hard to build it, I think. You'd
> need pretty recent version of Kerberos to support the PAC responder that
> handles users coming via trusts for instance.

Yes this is quite a problem with the current solution.
But we are looking for some ways to mitigate that.
Question for you about the older systems:

What would you prefer: those systems pointing to IPA and IPA having a
way to serve account and authentication or point them directly to AD?
Do you require kerberos authentication and SSO from those machines or
simple LDAP authentication is OK?
Do you have a requirement for all the authentications to actually happen
in AD for audit purposes or they can happen in IPA when users come from
the old clients and in AD with trusts when users access newer clients?

Thanks for the input!

Dmitri
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/