On Wed, 04 Jun 2014, Mark Gardner wrote:
Does all communication used for the FreeIPA client go between the FreeIPA client and the FreeIPA server? Or if we're using FreeIPA / AD Trusts, does some communication go to the AD Server?
Yes, an authentication exchange for AD users may happen between IPA client and AD DCs, initiated by IPA client side: - in case AD user credentials were delegated and SSSD was configured to renew Kerberos keys over time - in case AD user explicitly kinit itself
In other cases authentication will be initiated by an AD client side towards IPA client. SSSD on IPA clients will be talking to IPA server in order to resolve AD users, it doesn't need to talk directly to AD for this purpose. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users