On Wed, 04 Jun 2014, Mark Gardner wrote:
Does all communication used for the FreeIPA client go between the
FreeIPA client and the FreeIPA server?  Or if we're using FreeIPA / AD
Trusts, does some communication go to the AD Server?
Yes, an authentication exchange for AD users may happen between IPA client
and AD DCs, initiated by IPA client side:
- in case AD user credentials were delegated and SSSD was configured to
  renew Kerberos keys over time
- in case AD user explicitly kinit itself

In other cases authentication will be initiated by an AD client side
towards IPA client.

SSSD on IPA clients will be talking to IPA server in order to resolve AD
users, it doesn't need to talk directly to AD for this purpose.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to