On 02/04/2015 03:01 PM, Hugh wrote:
On 1/29/2015 4:26 PM, Dmitri Pal wrote:
How are the domains connected? Do you use trust or sync?
Trust. We wanted to have just one account and not need to install
additional software on the AD servers if possible.
1) Is it possible to log into a workstation that's been joined to a
domain with IPA credentials?
You mean can I access a Windows workstation joined to AD domain by user
from IPA domain?
No it is not implemented. It will require Global Catalog support in IPA.
Out of curiosity, then why can we do this with the regular Kerberos?
With pure Kerberos the system is not "joined".
Also the user ticket acquired from IPA does not have authorization data
- PAC to be of any meaning in the realm.
You need global catalog for this.
So you can take your Windows system, put MIT Kerberos for Windows on it
and a user from IPA will be able to authenticate to IPA.
I am not sure you will be able to use trusts and authenticate AD users
too, but I am not aware whether anyone tried.
Kerberos libraries for Windows might be too old for this to work
properly. But I am not sure.
If you just want to use IPA for windows you for now have to use the same
Kerberos setup on Windows workstations as you have in the old domain.
Do you mean use regular MIT Kerberos instead of FreeIPA, or configure
the Kerberos portion of FreeIPA like we had it in our old domain?
I mean configure MIT Kerberos for Windows on the Windows client.
On a semi-related note, is there a way to be able to log into a Linux
workstation with an AD account without having to specify the AD domain?
In other words, ssh to a server with <username> instead of
You can set default domain in sssd and then when you use a short name it
will append it.
But for other domains you would have to spell names out.
Thanks again in advance,
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project