On 07/03/2012 05:28 PM, Rob Crittenden wrote: > george he wrote: >> Hello all, >> I'm trying to set up a win7 as a client of my freeipa server running on >> fc17. so I followed the instructions here: >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html >> >> But then what? The win7 is currently in a "workgroup". I tried to join >> the win7 to a domain with my ipa realm name, but it failed. >> > > IPA is not an AD replacement, you can't join any Windows machine to it. > > The instructions you referenced are for installing the MIT Kerberos > package in Windows. This just lets you get a ticket from the IPA KDC > that may be usable by various applications (e.g. Firefox) but it isn't > a way to provide domain login. > > Our plan for that is to do cross-realm trust with AD, see the 3.0 beta > released yesterday.
Windows clients generally require a lot more from the domain controller than IPA can provide. And most of the operations are done over the custom MSFT protocols. There might be a way to make the Windows workstation to work with IPA to some extent. My dream is to allow the following use case: Win7 is joined into and AD domain using AD native tools and then via a credential provider is configured to authenticate against IPA. If there is a trust between AD and IPA there should (hopefully) be a way to place the TGT that is acquired by user auth against IPA into some place where MSFT kerberos library would think that this is a TGT for a user who came from a different forest and would use cross realm exchange is user tries to access resources in the AD domain behind the scenes. If that made possible it would really create a set of interesting opportunities as IPA some time in the future would natively support 2FA over Kerberos for login. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users