On Thu, 05 Feb 2015, Dmitri Pal wrote:
On 02/05/2015 04:44 AM, Alexander Bokovoy wrote:
On Thu, 05 Feb 2015, Dmitri Pal wrote:
On 02/04/2015 03:01 PM, Hugh wrote:
On 1/29/2015 4:26 PM, Dmitri Pal wrote:
How are the domains connected? Do you use trust or sync?
Trust. We wanted to have just one account and not need to install
additional software on the AD servers if possible.

1) Is it possible to log into a workstation that's been joined to a
domain with IPA credentials?

You mean can I access a Windows workstation joined to AD domain by user
from IPA domain?
No it is not implemented. It will require Global Catalog support in IPA.
Out of curiosity, then why can we do this with the regular Kerberos?

With pure Kerberos the system is not "joined".
Also the user ticket acquired from IPA does not have authorization data - PAC to be of any meaning in the realm.
You need global catalog for this.

So you can take your Windows system, put MIT Kerberos for Windows on it and a user from IPA will be able to authenticate to IPA. I am not sure you will be able to use trusts and authenticate AD users too, but I am not aware whether anyone tried. Kerberos libraries for Windows might be too old for this to work properly. But I am not sure.
No, it will not work. Active Directory has a global list of trusted
domains/forests and they are keyed by name. If you do trust to IPA as
MIT Kerberos trust, it will not allow you to create trust to IPA as
cross-forest trust because both will be set with the same name.

We are not talking about MIT kerberos server here.
Just the Kerberos client libraries for Windows, so I think it might work.
The comment you have applies to MIT KDC not to clients.



You can set default domain in sssd and then when you use a short name it will append it.
But for other domains you would have to spell names out.
This is unsupported for legacy clients and for IPA masters. On IPA
masters we rely to have AD users fully qualified as this is what
triggers name resolution for AD users in the compat tree.

Yes. But the question was about clients.
On clients you can set a default domain. It is not recommended but if you do not have IPA users and only one AD domain that is the way to reduce typing of the whole fully qualified name.
Yep. Just DO NOT DO it on IPA masters or life of your legacy clients
will be miserable.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to