Right, you have some process that creates the shadow accounts with a random,
unknown, unused pass. This assumes you have some workflow for provisioning
rather than doing ad hoc ipa user add as a human.
Sent from my iPad
> On May 18, 2016, at 23:20, John Meyers <john+free...@themeyers.us> wrote:
> Even if you get that to work, you are still stuck with same issue
> discussed earlier in this thread -- you need to have a Windows account,
> either local or AD, to be able to login and grant rights against. pGina
> just handles the authentication part. The only way to do either a 1-way
> Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to
> AD (or Samba AD) to create the "shadow account"? Winsync will not do this.
>> On 5/18/16 7:49 PM, Michael ORourke wrote:
>> What about using the pGina project on the Windows side?
>> -----Original Message-----
>>> From: John Meyers <john+free...@themeyers.us>
>>> Sent: May 18, 2016 5:19 PM
>>> To: firstname.lastname@example.org
>>> Subject: [Freeipa-users] How does one authenticate Windows login against IPA
>>> FreeIPA as we've discovered has some wonderful Windows integration
>>> capability, but it is all predicated on Windows AD being the
>>> authoritative source of user information. 2-Way trusts are great, but
>>> they only work for kerberotized applications, not native Windows rights
>>> (that would require FreeIPA to act as global catalog as I learned from
>>> Alexander). The winsync capability does not, as it turns out, sync
>>> native IPA users to AD.
>>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>>> your authoritative user repository (AD is a blank slate), how do you
>>> perform local Windows login authentication for the 10% of Windows
>>> machines against FreeIPA?
>>> Thank you all!
>>> Manage your subscription for the Freeipa-users mailing list:
>>> Go to http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project