Thanks. I've experimented with that as well with vanilla MIT kerberos (prior to using FreeIPA) and I agree it works just fine. However, the limitation I always found was that it is not practical to manually create the "shadow objects" and then keep in them in sync. I was hoping the "winsync" feature would actually be able to handle that part of it, but it only seems to be able to deal with accounts that come from AD initially.
On 5/18/16 6:03 PM, Coy Hile wrote: > When I've done this in the past, I used mit directly, not IPA. I set up a one > way trust, then used "shadow objects" for users mapped using > alternateSecurityID. I've setup the same one way trust testing with freeipa, > but unfortunately I had to use kadmin.local to do it. I don't know that > that's actually supported. Simo? > > -c > > Sent from my iPad > >> On May 18, 2016, at 17:19, John Meyers <john+free...@themeyers.us> wrote: >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project