Right, you have some process that creates the shadow accounts with a random, unknown, unused pass. This assumes you have some workflow for provisioning rather than doing ad hoc ipa user add as a human.
Sent from my iPad > On May 18, 2016, at 23:20, John Meyers <john+free...@themeyers.us> wrote: > > Even if you get that to work, you are still stuck with same issue > discussed earlier in this thread -- you need to have a Windows account, > either local or AD, to be able to login and grant rights against. pGina > just handles the authentication part. The only way to do either a 1-way > Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to > AD (or Samba AD) to create the "shadow account"? Winsync will not do this. > > > >> On 5/18/16 7:49 PM, Michael ORourke wrote: >> What about using the pGina project on the Windows side? >> >> Reference: >> http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ >> >> -Mike >> >> -----Original Message----- >>> From: John Meyers <john+free...@themeyers.us> >>> Sent: May 18, 2016 5:19 PM >>> To: freeipa-users@redhat.com >>> Subject: [Freeipa-users] How does one authenticate Windows login against IPA >>> >>> All, >>> >>> FreeIPA as we've discovered has some wonderful Windows integration >>> capability, but it is all predicated on Windows AD being the >>> authoritative source of user information. 2-Way trusts are great, but >>> they only work for kerberotized applications, not native Windows rights >>> (that would require FreeIPA to act as global catalog as I learned from >>> Alexander). The winsync capability does not, as it turns out, sync >>> native IPA users to AD. >>> >>> The million dollar question is if you are 90% Linux shop and FreeIPA is >>> your authoritative user repository (AD is a blank slate), how do you >>> perform local Windows login authentication for the 10% of Windows >>> machines against FreeIPA? >>> >>> Thank you all! >>> >>> John >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project