Quickly as Im late.

We are setting up cross realm from AD to a school who runs MIT Kerberos with 
openldap underneath....A windows client in our domain can then connect to a 
school resource where its connected to the school's centralised setup....

So its possible, yes.

Not with freeipa from what Ive seen posted, yet...next version I am assuming so.

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Christian Horn [ch...@fluxcoil.net]
Sent: Thursday, 26 May 2011 3:20 p.m.
To: Erinn Looney-Triggs
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote:
> On 05/25/2011 01:21 PM, Steven Jones wrote:
> >
> > As far as I am aware Windows clients can only authenticate against ADs.  So 
> > if you need to authenticate Windows you need a password trust/sync setup 
> > with AD and yes you need an AD as well as FreeIPA.
> No Windows clients can auth against kerberos realms directly and so
> should be able to auth again an IPA server as well. It is slightly
> complicated and difficult to manage but it can be done.

True, but does not help with the clients fetching ldap data.
I think the cross realm setup is a good idea if one wants to run Windows
clients and use SSO together with kerberized services on linux/unix:

- the windows clients stay hooked up to an AD, so in a supported
- from following mailinglists I had the impression Microsoft seems to
support the scenario
- the linux/unix servers can use the IPA and benefit from proper de-
bugging tools, having their server OpenSourced etc.


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to