On ti, 30 touko 2017, Andrey Ptashnik via FreeIPA-users wrote:

Thank you for the hint!
We are testing component integration in the non-production environment
in the lab. Can you advice if that is potentially working solution and
we can get working, or someone tried without much success and Red Hat
won’t be investing time into that development even in the future at
I have no idea on how Red Hat plans to productize FreeIPA features that
aren't developed yet, so no comment on that side.
Upstream-wise, when we get IPA-IPA trust working, we'll get to the point
where this would be required to handle and have it properly working. In
IPA-AD trust this is handled automatically by the code in ipasam module
but IPA-AD trust is more than just a Kerberos realm trust.

A problem with a generic Kerberos realm trust is that it doesn't really
have an answer to an identity part of the question. You would have
Kerberos principals from a trusted realm but you don't know to which
identities they need to be mapped on POSIX systems enrolled into IPA,
for POSIX applications.

This goes further -- if we have no identities, how we can apply RBAC,
HBAC, SUDO, and other rules.

One possible answer to those questions is when you have identical user
names on both sides and you are effectively ask to impersonate IPA
users by a trusted realm Kerberos principals. This still needs manual
setup on your side to allow mapping of the principals but at least
solves identity problem. It is, however, a hardly most interesting case.

So what use case you have in mind for such a trust?

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to