On 01/24/2013 12:29 PM, Alexander Bokovoy wrote:
> On Thu, 24 Jan 2013, Bob Sauvage wrote:
>> I'll give your a concrete example:
>> A developer is connected on his laptop with Windows 7. At startup,
>> he's prompted to login to the domain with his credentials. These
>> credentials are verified by the RHEL server running IPA. Credentials
>> are correct and the user is logged in the domain. => At this point, is
>> this possible ?
> Not directly by IPA. You need to use pGINA and its Kerberos plugin
> configured against IPA KDC to allow Windows workstations to obtain
> Kerberos tickets from IPA KDC on user's logon. Your Windows workstation
> users will need to have same names as IPA domain users and would only
> exist for the purpose of logon.
> There were discussions about using pGINA with FreeIPA few years ago, you
> may search this list mailing archive for details. pGINA has improved
> since then.
>> Now, this user wants to connect through SSH to a RHEL server (another
>> IPA client). He uses PUTTY and he is connecting to the server, no
>> login/password is required, the authentication is done over his IPA
>> connection. => Is this possible ?
> With Kerberos ticket from IPA KDC available it is possible.
>> Now, once connected on the RHEL server, he wants to use the command
>> "reboot now" but this one is not authorized by the IPA server for this
>> user on this server. => Is this possible ?
> 'sudo reboot now', that's possible.
If you do not want to introduce AD your Windows systems would have
The use cases that you listed would work but this does not mean that
other things that you expect from the Windows client joined to an AD
domain controller would work out of box.
This is why we suggest AD to rule windows clients and IPA for linux clients.
If you want SSO across domains the best option is to establish trusts
between the two domains AD and IPA.
Sync solution would work too but in case of SSH you would have to use
password auth rather than SSO to get from windows worksation into Linux
box, i.e. SSO cross platform would not work.
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list