On Wed, 15 Jan 2014, Petr Spacek wrote:
The very same is needed for IPA side. I think we already had discussion
on this list how to setup SSSD with two different domains pointing to
different Kerberos realms last week but in that case there were
non-overlapping DNS namespaces for both Kerberos realms.

Now, when an SSH client (PuTTY) on win.example.com will want to connect
to lnx.example.com, AD DC on dc.example.com would issue Kerberos ticket
to service host/lnx.example....@example.com based on own AD credentials.
One will be able to login with this ticket to lnx.example.com but
nothing from IPA side will apply here: sudo and HBAC rules don't know
anything about these users and authentication source.

In such situation what I question is the need for IPA deployment at all.
If all users will be coming from AD and they are not visible to IPA and
not using IPA features, why to spend time with FreeIPA at all?

I think that the requirement is to have two distinct sets of users while you don't have control over one set (AD users) but you have to manage the other set (IPA users) somehow.
I'm yet to see what is the benefit over having only IPA users. Given
single sign-on wasn't a concern, it makes no difference then to specify
IPA's user name during logon from AD machines, so no integration would
really be needed.

An attempt to keep users in AD but use IPA features is really asking for
collaboration between the two infrastructure setups.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to