On Mon, 2011-05-09 at 09:38 -0400, Adam Young wrote:
> On 05/09/2011 09:12 AM, Dmitri Pal wrote: 
> > On 05/08/2011 07:39 PM, Adam Young wrote: 
> > > On 05/08/2011 06:20 AM, nasir nasir wrote: 
> > > > 
> > > > Thanks indeed again for the reply. I went through the deployment
> > > > guide and installed and configured FreeIPA 2.0 on a RHEL 6.1
> > > > beta machine for testing. I also configured the browsers on this
> > > > server and a client Kubuntu machine as per the guide. But I
> > > > can't find any doc which explain how to configure a client
> > > > (kubuntu in my case) for single sign on or even accessing a
> > > > service like nfs using the browser when native ipa-client
> > > > package is not available. All the docs are focused on
> > > > configuring client machines using ipa-client package. Is this
> > > > possible? if so could anyone suggest me some guide lines or docs
> > > > for the same ?
> > > 
> > 
> > Does the client have SSSD?
> > If it does making ipa-client work is probably the best path.
> > 
> > If the SSSD is not an option then you are in the realm of PAM_KRB5
> > for the SSO.
> > Please see the FreeIPA 1.2.1 documentation. There is no exact
> > documentation ofr your case but the closest IMO would be the
> > instructions for the Solaris client.
> > http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html
> > 
> > Also see man pages for pam_krb5.
> > Hope this helps.
> > 
> > Thanks
> > Dmitri
> 
> 
> According to Stephen, Ubuntu has an older version of sssd available.
> Even Debian sid only has 1.2.1
> 
> http://packages.debian.org/unstable/main/sssd


SSSD 1.2.1 has some caveats with IPA usage. Mostly because the HBAC
format changed in the final FreeIPA v2. SSSD 1.2.1 had been released
with the older format, so it won't work.

However, it should be possible to set up SSSD 1.2.1 for use with FreeIPA
if they set 'access_provider = allow' (instead of 'access_provider =
ipa')

However, it WILL require a few manual steps to set up, notably the
acquisition of the host keytab.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to