Thanks Dimitri, I was clarified about the setup yesterday. Looks like, I do not need Kerberos implemented for PAM Pass-through.
Since IPA is to be a domain controller, is it necessary to implement Kerberos for server and clients? Since, I only need Unix hosts to talk to the DC? I mean can I separate the Kerb part from the IPA and just use it for password change on both sides? >>> >>> >> > Prashanth, > > The setup is a bit confusing. > IPA v1 that is currently available can serve users and groups to > UNIX/Linux clients via nss_ldap. > One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1. > IPA v1 does not handle netgroups or hosts. These are the features of v2 > that are coming. > However the whole point of the IPA is to be a domain controller for > UNIX/Linux machines and users. > If you are not planning to use IPA as a domain controller then you > should look at pure 389 deployment. > With 389 you can proxy authentications to AD and follow recommendations > and solutions described on 389 wiki. > However in this case you can't expect any of the IPA features > (especially the ones that we are working on now: > netgroups, automounts, hosts etc.) > > Thank you > Dmitri > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users