I just begun evaluating FreeIPA, after having successfully used 389ds for a few months. The move from 389 ds to FreeIPA is to leverage the authorization for host logins and also for simpler management. The University I am deploying at has a campus wide KDC and for security and audit reasons I prefer to point my authentication services at that Kerberos realm rather than storing passwords. I have successfully implemented this using the 389 ds pam pass through authentication plug-in , but have not found any documentation on how to do this same thing with FreeIPA.
The complication with doing this is I do not have even a 1 way trust with the KDC. Getting a trust (even 1-way) is very difficult if not impossible, but so far I've been able to make PAM work with that situation both using local authentication and now 389 ds, both through PAM. Is it possible to have FreeIPA query a remote KDC while still being able to fallback to the local password store (ie external users not in campus domain). Thanks - Trey _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users