On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote:
> Is it possible with FreeIPA to use an external KDC or pass some or all
> authentication to an external KDC? The KDC at our University may give
> me a one way trust if I describe my implementation plan for FreeIPA.
> Currently I use 389DS with PAM pass through using untrusted pam_krb5.
> I'd like to fully utilize FreeIPA without managing passwords since all
> my users already have University accounts. I just want to manage
> authorization for my systems, not authentication.
You could set up a kerberos trust manually but at the moment we do not
support it in the code or the utilities.
SSSD in particular will have no place to find identity information if
all you have is a kerberos trust, you'd need also an external identity
store to point to, but there is no builtin code in SSSD to link the 2
domain at this point.
We are planning on working on IPA-to-IPA trust, and possibly
IPA-to-*other* so any requirements you can throw at us will be made part
of the consideration and planning to add this kind of functionality in
NM B HTH,
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list