I was clarified about the setup yesterday. Looks like, I do not need
Kerberos implemented for PAM Pass-through.
Since IPA is to be a domain controller, is it necessary to implement
Kerberos for server and clients? Since, I only need Unix hosts to talk to
I mean can I separate the Kerb part from the IPA and just use it for
password change on both sides?
> The setup is a bit confusing.
> IPA v1 that is currently available can serve users and groups to
> UNIX/Linux clients via nss_ldap.
> One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1.
> IPA v1 does not handle netgroups or hosts. These are the features of v2
> that are coming.
> However the whole point of the IPA is to be a domain controller for
> UNIX/Linux machines and users.
> If you are not planning to use IPA as a domain controller then you
> should look at pure 389 deployment.
> With 389 you can proxy authentications to AD and follow recommendations
> and solutions described on 389 wiki.
> However in this case you can't expect any of the IPA features
> (especially the ones that we are working on now:
> netgroups, automounts, hosts etc.)
> Thank you
Freeipa-users mailing list