>>     - Users can't login to a Linux box using just "username" (user@ad.domain 
>> is
>>     used)
> 
> In the current version you can use the 'default_domain_suffix' option in
> sssd.conf on the clients. In RHEL-7.4 we are looking into making this
> limitation go away.

Thank you very much, Jakub.  That is helpful information!  Are you saying that 
there will basically be a domain search order or something for users that login 
without specifying a domain?

Back to the community as a whole, regarding these other items:

>    - Since AD trust users don't show up in FreeIPA web UI users can't login 
> to manage their own SSH keys

After doing some additional thinking/researching I realized that SSH keys 
become largely irrelevant because of GSSAPI (Dmitri Pal posed this question in 
this thread: 
https://www.redhat.com/archives/freeipa-users/2013-September/msg00290.html).

>    - User/group management in general becomes largely a command-line 
> operation (such as mapping groups so they can be used in HBAC and sudo rules)

While this is a nice-to-have, it isn't a deal breaker.

I have another question.  Can additional authentication requirements (such as 
2FA) be imposed on users from a trust via IPA?

Thanks,

j

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to