> From: Dmitri Pal <d...@redhat.com>
> >> I want also my AD users (from IPA trust) to login inside thru ssh but 

> >> afaik this seems to have some older SSSD version and same 
configuration 
> >> options that goes ok with CentOS 6 ipa-client wont work with CentOS 
5. 
> >>
> >> So what should i modify that i can login to my CentOS 5 machine that 
i can 
> >> to login AD trust users from IPA? Is there newer SSSD daemon 
available for 
> >> centos 5?
> >>
> > No, it is not and it would be quite hard to build it, I think. You'd
> > need pretty recent version of Kerberos to support the PAC responder 
that
> > handles users coming via trusts for instance.
> 
> Yes this is quite a problem with the current solution.

Is there any guides for rhel 5.x/centos 5.x when using IPA and if that 
same 
system needs also AD users logins enabled, should we just enable some PAM 
module 
and all works if SSSD/IPA is also used?

> But we are looking for some ways to mitigate that.
> Question for you about the older systems:
> 
> What would you prefer: those systems pointing to IPA and IPA having a
> way to serve account and authentication or point them directly to AD?
> Do you require kerberos authentication and SSO from those machines or
> simple LDAP authentication is OK?
> Do you have a requirement for all the authentications to actually happen
> in AD for audit purposes or they can happen in IPA when users come from
> the old clients and in AD with trusts when users access newer clients?
> 
> Thanks for the input!
> 
> Dmitri

For me, would be good if all comes from (thru) IPA, but thats not 
an requirement for me.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to