On 07/03/2012 05:28 PM, Rob Crittenden wrote:
> george he wrote:
>> Hello all,
>> I'm trying to set up a win7 as a client of my freeipa server running on
>> fc17. so I followed the instructions here:
>> But then what? The win7 is currently in a "workgroup". I tried to join
>> the win7 to a domain with my ipa realm name, but it failed.
> IPA is not an AD replacement, you can't join any Windows machine to it.
> The instructions you referenced are for installing the MIT Kerberos
> package in Windows. This just lets you get a ticket from the IPA KDC
> that may be usable by various applications (e.g. Firefox) but it isn't
> a way to provide domain login.
> Our plan for that is to do cross-realm trust with AD, see the 3.0 beta
> released yesterday.
Windows clients generally require a lot more from the domain controller
than IPA can provide. And most of the operations are done over the
custom MSFT protocols. There might be a way to make the Windows
workstation to work with IPA to some extent. My dream is to allow the
following use case:
Win7 is joined into and AD domain using AD native tools and then via a
credential provider is configured to authenticate against IPA. If there
is a trust between AD and IPA there should (hopefully) be a way to place
the TGT that is acquired by user auth against IPA into some place where
MSFT kerberos library would think that this is a TGT for a user who came
from a different forest and would use cross realm exchange is user tries
to access resources in the AD domain behind the scenes.
If that made possible it would really create a set of interesting
opportunities as IPA some time in the future would natively support 2FA
over Kerberos for login.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list