> > > >>>> Two questions:
> > > >>>>
> > > >>>> - Any ETA on an updated 3.3.3 Users Guide?
> > > >>>
> > > >>> Our current plan is to release next documentation release along
with
> > > >>> FreeIPA
> > > >>> 3.4, when more documentation fixes are factored in.
> > > >>>
> >
> > Would you by any chance know when FreeIPA 3.4 will be realised?
> >
> > Looking to update a version 2.2 and would wait for 3.4 if its
> > reasonably soon.
> >
>
> We planned for Feb but it seems like it would slip. How much is unclear.
> We might reduce the scope and cut it earlier (I mean do not slip too
> much) or try to keep the scope and extend the time couple months.
> We will decide in early Feb.

Thanks a lot for the estimated release date. Please do make some
announcement once you guys make up your mind which route to take.

William
>
> Sorry not to have a more precise answer.
>
> Thanks
> Dmitri
>
> > William
> >
> > > >>> Just in case you would like to check the most recent status of the
> > > >>> documentation work (or even help us with it), this page describes
> > > >>> the details
> > > >>>
> > > >>> http://www.freeipa.org/page/Contribute/Documentation
> > > >>>
> > > >>> including instructions how to build HTMLs out of our git tree.
> > > >>>
> > > >>
> > > >> Thanks, I'll take a look.
> > > >>
> > > >>>> - Is AD/IPA synchronization still supported in 3.3.3?  Will it
> > always?
> > > >>>
> > > >>> The AD/IPA synchronization is supported only in terms in bug
fixes.
> > > >>> As for the
> > > >>> enhancements, the FreeIPA core team is focusing on the AD trusts:
> > > >>>
> > > >>> http://www.freeipa.org/page/Trusts
> > > >>>
> > > >>> (That does not mean we are not open to contributions from the
> > > >>> community)
> > > >>>
> > > >>> Martin
> > > >>>
> > > >>
> > > >> Thanks for the that link - the video was helpful.  Although I'm
> > > >> afraid that is
> > > >> making me lean towards implementing the not recommended "split
brain"
> > > >> approach.  Although one thing that is not clear to me is weather
> > > >> doing this
> > > >> consumes CALs for the linux machines since they authenticate
> > against AD.
> > > > Linux machines do not authenticate against AD DC in single sign-on
> > > > case. Instead, usually Windows users obtain their Kerberos TGT upon
> > > > logon to
> > > > Windows machines and then use it to obtain tickets to services on
> > Linux
> > > > machines, by obtaining cross-realm TGT from AD DC and presenting it
to
> > > > IPA KDC as a proof. So in single sign-on case it works fine --
> > > > authentication against AD happens on AD side.
> > > >
> > > > Of course, when AD users attempt to log in with password to IPA
> > > > resources, SSSD would perform communication with AD DC to obtain
> > TGT on
> > > > their behalf. There is AD DC involved in making a decision whether
> > > > this AD user is allowed to authenticate. On Kerberos level, however,
> > > > there are no limitations from where the authentication request comes
> > > > (unless it is restricted with the firewalls). CALs play role on
using
> > > > Windows resources after authentication happened but in IPA AD trusts
> > > > case currently only IPA resources can be consumed by AD users, IPA
> > users
> > > > cannot yet consume Windows resources and therefore get assigned
rights
> > > > to access them.
> > > >
> > >
> > > To clarify the CAL part.
> > > The CALs come in two shapes: per user and per host.
> > > If it is per user and you have users in AD then regardless of how you
> > > integrate with IPA you have to pay these CALs.
> > > If your CALs is around hosts then they are based on the count of the
> > > computer objects in AD.
> > > If the client system is joined directly and has kerberos identity in
AD
> > > domain you have an object in AD that counts towards CALs.
> > > If you have client joined to IPA and either trust or sync solution in
> > > place the client is not a member of AD (no computer object in AD) and
> > > this does not count towards CALs.
> > >
> > > HTH
> > >
> > >
> > >
> > >
> > > --
> > > Thank you,
> > > Dmitri Pal
> > >
> > > Sr. Engineering Manager for IdM portfolio
> > > Red Hat Inc.
> > >
> > >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
https://www.redhat.com/archives/freeipa-users/attachments/20140112/fe887df9/attachment.html
>
>
> ---------------------------
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to