Even if you get that to work, you are still stuck with same issue
discussed earlier in this thread -- you need to have a Windows account,
either local or AD, to be able to login and grant rights against. pGina
just handles the authentication part. The only way to do either a 1-way
Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to
AD (or Samba AD) to create the "shadow account"? Winsync will not do this.
On 5/18/16 7:49 PM, Michael ORourke wrote:
> What about using the pGina project on the Windows side?
> -----Original Message-----
>> From: John Meyers <john+free...@themeyers.us>
>> Sent: May 18, 2016 5:19 PM
>> To: firstname.lastname@example.org
>> Subject: [Freeipa-users] How does one authenticate Windows login against IPA
>> FreeIPA as we've discovered has some wonderful Windows integration
>> capability, but it is all predicated on Windows AD being the
>> authoritative source of user information. 2-Way trusts are great, but
>> they only work for kerberotized applications, not native Windows rights
>> (that would require FreeIPA to act as global catalog as I learned from
>> Alexander). The winsync capability does not, as it turns out, sync
>> native IPA users to AD.
>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>> your authoritative user repository (AD is a blank slate), how do you
>> perform local Windows login authentication for the 10% of Windows
>> machines against FreeIPA?
>> Thank you all!
>> Manage your subscription for the Freeipa-users mailing list:
>> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project