> On Feb 7, 2016, at 2:05 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Thu, 04 Feb 2016, Alan P wrote:
>> Hi,
>> I just configured a trust between an IPA and an Active Directory to
>> authenticate IPA users in Windows machines joined in AD domain. The
>> login is successfull, but only after several minutes (nearly 25
>> minutes) in the first attempt; in the next attempts, the required time
>> goes from 5 to 10 min. So, what can I do to reduce the time to
>> something more acceptable? (For reference, when an AD user
>> authenticates it only takes 10 seconds or less).
> Alan, this is not yet supported for multiple reasons. We just have
> worked on this with Michael Brown at DevConf.cz over this weekend and
> while we have had certain progress, it requires heavily patching several
> key components, including CyrusSASL library, 389-ds and FreeIPA. Worse
> to that, we need to write Global Catalog service support in FreeIPA to
> allow Windows machines to actually assign proper rights to IPA users.

Wouldn’t a somewhat easier solution for dealing with Windows be to create a 
one-way trust so that the AD domain trusts the IPA realm?  Then use 
AltSecurityID in Windows land to map a “shadow” user to each real principal?  
In that way AD gets relegated to a second-class citizen used only for the 
subset of (likely comparatively unimportant) tasks where one is forced to use 

Coy Hile

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to