On Fri, Dec 18, 2009 at 03:13:22PM -0500, Dan Scott wrote:
> I've just read Simo Sorce's comments about system users and I think
> that this may be causing some of my problems. If I read this
> correctly, I cannot just ssh from one machine to another in a
> different realm using a user in the first realm?
You can, but since kerberos is only handling authentication you
additionally need to provide uids/gids etc on the other box, the
user account data.
> Is this related to
> the LDAP configuration/entries?
ldap-directory is one way to host it, a quick fix for debugging
is just 'useradd'ing the user on the destination server.
For authorization that data is then used.
> When cross-realm authentication is discussed, does that mean only
> authentication? Or does it include authorization as well?
In kerberos-terms its purely for authentication.
Freeipa-users mailing list