Prashanth Sundaram wrote:
> Thanks Dimitri,
> I was clarified about the setup yesterday. Looks like, I do not need
> Kerberos implemented for PAM Pass-through.
> Since IPA is to be a domain controller, is it necessary to implement
> Kerberos for server and clients? Since, I only need Unix hosts to talk to
> the DC?
I am sorry can you be a bit more specific and give a bigger picture.
It seems that you are going to configure UNIX/Linux clients to use IPA
as DC.
So who is going to provide auth for the users via pam?
Would it be configured to use ldap, kerberos or something else?
It is unclear from the description above.

It seems that you do not have a clear picture too.
So may be it would be simpler to start describing what you have,
what are the constraints and what is the goal you are trying to accomplish.
With this we can try to come with the best approach using tools we have.

> I mean can I separate the Kerb part from the IPA and just use it for
> password change on both sides?
Why? Can you explain the reasoning behind this?

Thank you

>> Prashanth,
>> The setup is a bit confusing.
>> IPA v1 that is currently available can serve users and groups to
>> UNIX/Linux clients via nss_ldap.
>> One can also configure pam_ldap or pam_rkb5 to authenticate against IPA v1.
>> IPA v1 does not handle netgroups or hosts. These are the features of v2
>> that are coming.
>> However the whole point of the IPA is to be a domain controller for
>> UNIX/Linux machines and users.
>> If you are not planning to use IPA as a domain controller then you
>> should look at pure 389 deployment.
>> With 389 you can proxy authentications to AD and follow recommendations
>> and solutions described on 389 wiki.
>> However in this case you can't expect any of the IPA features
>> (especially the ones that we are working on now:
>> netgroups, automounts, hosts etc.)
>> Thank you
>> Dmitri

Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to