On Thu, 24 Jan 2013, Bob Sauvage wrote:
I'll give your a concrete example:

A developer is connected on his laptop with Windows 7. At startup,
he's prompted to login to the domain with his credentials. These
credentials are verified by the RHEL server running IPA. Credentials
are correct and the user is logged in the domain. => At this point, is
this possible ?
Not directly by IPA. You need to use pGINA and its Kerberos plugin
configured against IPA KDC to allow Windows workstations to obtain
Kerberos tickets from IPA KDC on user's logon. Your Windows workstation
users will need to have same names as IPA domain users and would only
exist for the purpose of logon.

There were discussions about using pGINA with FreeIPA few years ago, you
may search this list mailing archive for details. pGINA has improved
since then.

Now, this user wants to connect through SSH to a RHEL server (another
IPA client). He uses PUTTY and he is connecting to the server, no
login/password is required, the authentication is done over his IPA
connection. => Is this possible ?
With Kerberos ticket from IPA KDC available it is possible.

Now, once connected on the RHEL server, he wants to use the command
"reboot now" but this one is not authorized by the IPA server for this
user on this server. => Is this possible ?
'sudo reboot now', that's possible.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to