On Sat, Mar 05, 2016 at 10:25:47AM -0600, Kenneth Schwartz wrote: > I hope somebody can answer this for me and clarify questions I have about this > process. If this is not the right place to ask the question please tell me > where I might be able to get answers to my questions. > > I want a Linux machine to become a user of the active directory Does > SSD configure > you to be part of the Windows domain or is it only using a small part such > as list, positions of things, resource sharing, etc. Or is it a full-fledged > Windows user? I want to know about the process of enrolling the CAC with > the PKI/widows domain/active directory. When you log in with the > smartcard/CAC, when and how does enrollment occur? I think enrollment could > be one of two things: You could use the certificates/identifier number > from the CAC to enroll and be in active directory/PKI. What is the enrollment > PKI? I want to understand the associations between the CAC, Windows, and > what information is stored. I don't think it's the cerificate but just > the number. Once you've logged into the machine does in use certificates > from the CAC and how does the information get there. How do you associate > the CAC with the windows user from active directory? How do you connect > using your key? Once you're on a machine and you need to log in to a Linux > machine that's a member and you want to prove who you are > from a machine that has become part of active directory how do you know? Does > Linux associate the CAC the same way that Windows does? For SSH? kinit > involvement?
Depending on the configuration, the machine might be a member of the domain with the corresponding computer account object (this is normally the case with id_provider=ad) or just use the LDAP and Kerberos services from AD (this is typically with id_provider=ldap). Maybe https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server would help? > Does the SSS module or pam module handle session tickets or does it only > give you your only initial ticket granting ticket? Only the TGT, the rest is handled by libkrb5.. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
