On Fri, Dec 18, 2009 at 03:13:22PM -0500, Dan Scott wrote:
> 
> I've just read Simo Sorce's comments about system users and I think
> that this may be causing some of my problems. If I read this
> correctly, I cannot just ssh from one machine to another in a
> different realm using a user in the first realm? 

You can, but since kerberos is only handling authentication you
additionally need to provide uids/gids etc on the other box, the
user account data.


> Is this related to
> the LDAP configuration/entries?

ldap-directory is one way to host it, a quick fix for debugging
is just 'useradd'ing the user on the destination server.
For authorization that data is then used.


> When cross-realm authentication is discussed, does that mean only
> authentication? Or does it include authorization as well?

In kerberos-terms its purely for authentication.


Christian

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to