Assume my new freeipa server is on 7.4 centos, and my client freeipa hosts are on fedora 25. Assume I create a freeipa user "jdoe" with a NFS4 automounted home dir, to be available on the fedora hosts.
The goal is to ssh remotely into any fedora client host as "jdoe" and be authenticated by the centos freeipa server. Is or can openssh configured to work this way by the initial freeipa server install? If not what steps must be done? Assuming I succeed, may I still ssh to a non freeipa account (ie a local account in /etc/passwd) on the a freeipa server or a fedora freeipa client? How are "non freeipa", ie local accounts handled by open ssh on the fedora 25 client freeipa hosts? -- Thanks for trying to clear up my foggy grasp of freeipa, Tom -- Below is some more background, and additional question(s). -- GOAL: Setup freeipa for w/ kerberos NFS4 file sharing, and autofs/auto mount home directories. A small number of users or hosts. I have a centos 7.3 Internet host "pez.ipa.uqjau.org", with bind/bind-chroot installed and working. There is a "ipa.uqjau.org" delegation NS record and a SOA ipa.uqjau.org record, both mapped to host "pez.ipa.uqjau.org" both in the "uqjau.org" zone. bind is working OK on pez with pez bind authoritative for ipa.uqjau.org, but I plan to uninstall bind-chroot and let 'ipa-server-install' setup bind from scratch. (I understand I need to uninstall bind-chroot, and plan to do so.) I'm new to freeipa, but have read for 7 hours or so, and have spent a couple of hours reading the list. NFS4 is working now. For guidance on the install I have been looking at: <https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.4/html/FreeIPA_Guide/creating-server.html> <https://blog.christophersmart.com/articles/freeipa-how-to-fedora/> How does this look? ipa-server-install --unattended --realm=IPA.UQJAU.ORG --domain=ipa.uqjau.org --ds-password=SOMESECRET_PASSWD --admin-password=SOMESECRET_PW --mkhomedir --ip-address=45.55.89.85 --idstart=50000 --no_hbac_allow --ssh-trust-dns --setup-dns --no-forwarders --no-reverse --zonemgr=SOME_EMAIL_ADDR_HERE --no-dnssec-validation The --zonemgr line above is what I think the man page intends, right? -- thanks, Tom _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org