On Fri, Dec 18, 2009 at 03:13:22PM -0500, Dan Scott wrote:
> I've just read Simo Sorce's comments about system users and I think
> that this may be causing some of my problems. If I read this
> correctly, I cannot just ssh from one machine to another in a
> different realm using a user in the first realm? 

You can, but since kerberos is only handling authentication you
additionally need to provide uids/gids etc on the other box, the
user account data.

> Is this related to
> the LDAP configuration/entries?

ldap-directory is one way to host it, a quick fix for debugging
is just 'useradd'ing the user on the destination server.
For authorization that data is then used.

> When cross-realm authentication is discussed, does that mean only
> authentication? Or does it include authorization as well?

In kerberos-terms its purely for authentication.


Freeipa-users mailing list

Reply via email to