Hello Alexander,

Thank you very much for your answers!

> If Windows client is not a part of the domain, there is no SSO and no
> Kerberos. Windows client will attempt using NTLMSSP authentication.
> ...
> Right now -- yes. You are saying you've following "FreeIPA's Samba
> integration guide" which I assume is
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
,
> which only works for Kerberos authentication because NTLMSSP is not
> supported by the SSSD.

Yes, your assumption is absolutely exact ;-)

That's clear now, my thoughts went on this direction too: anyone is
handling a new kerberos ticket request because of authentication type.

> Not really. The story is more complex than it seems and right now there
> is no ready-made solution for out-of-domain Windows clients.

Ok, I understand.

Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this
works fine on Samba3 and 389-DS), but I'm not sure about the configuration.
Can file-server's SSSD have Kerberos auth (result of ipa-client-install)
and LDAP auth (added settings in sssd.conf) at the same time for the same
domain? Will it work together or will I've to choose on of the two?

Thank you!

Regards,

A.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to