Even if you get that to work, you are still stuck with same issue discussed earlier in this thread -- you need to have a Windows account, either local or AD, to be able to login and grant rights against. pGina just handles the authentication part. The only way to do either a 1-way Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to AD (or Samba AD) to create the "shadow account"? Winsync will not do this.
On 5/18/16 7:49 PM, Michael ORourke wrote: > What about using the pGina project on the Windows side? > > Reference: > http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ > > -Mike > > -----Original Message----- >> From: John Meyers <john+free...@themeyers.us> >> Sent: May 18, 2016 5:19 PM >> To: freeipa-users@redhat.com >> Subject: [Freeipa-users] How does one authenticate Windows login against IPA >> >> All, >> >> FreeIPA as we've discovered has some wonderful Windows integration >> capability, but it is all predicated on Windows AD being the >> authoritative source of user information. 2-Way trusts are great, but >> they only work for kerberotized applications, not native Windows rights >> (that would require FreeIPA to act as global catalog as I learned from >> Alexander). The winsync capability does not, as it turns out, sync >> native IPA users to AD. >> >> The million dollar question is if you are 90% Linux shop and FreeIPA is >> your authoritative user repository (AD is a blank slate), how do you >> perform local Windows login authentication for the 10% of Windows >> machines against FreeIPA? >> >> Thank you all! >> >> John >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project