On Wed, 27 Jul 2016, malo wrote:

Thank your for your reply, it really is much clearer to me now.

I think I get why SSSD offline authentication would help to solve "AD unreachable" issue.

If I understood well, the SSSD on the IPA master would cache credentials, allowing the user to log in (as in the kinit meaning) even if the AD is unreachable ?
On each IPA client, including IPA master. You are always login to the
specific host and SSSD always tries to reach the server that gives
authentication response (AD DCs, in the case of AD users). If it cannot
reach that server, offline authentication is considered.

At last, I did not quite understand how the KDC proxy would help to prevent network related issues.

To me it is just a way to allow users with restrictive firewall rules to authenticate and requests ticket, if I understood well (from this doc https://www.freeipa.org/page/V4/KDC_Proxy)

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to