[Freeipa-devel] freeIPA and NIS
Ahmed Kamal
email.ahmedkamal at googlemail.com
Tue Aug 12 10:51:15 UTC 2008
I played with pGina before, it was great, but the only limitation I faced
was that Windows does not "see" other users and groups. Logged in users are
created to be "local" users, which means one can't created shared folders,
and apply permissions and such. Is this resolved by using open-afs (I've
never touched that) ? If so, that would really rock! I'd even prefer that to
a samba4 solution!
On Tue, Aug 12, 2008 at 1:40 PM, Christian Horn <chorn at fluxcoil.net> wrote:
> On Tue, Aug 12, 2008 at 11:43:14AM +0200, Angel Marin wrote:
> > (sorry for the off-topic, but it might be of interest for people
> > planning on moving to freeipa)
>
> Seeing what you implemented i guess it fits to @freeipa :)
>
>
> > We do auth through a home made pGina plugin that does kerberos auth and
> > ensures openafs (roaming profiles and user dirs are in the afs cell) is
> > ready; looking up user info in ldap, ensuring clock is in sync and
> > enabling password change are in the works. Finally kfw and openafs
> > integrated logon plugin takes care of actual tickets for user session so
> > there's SSO*.
> >
> > We've had to patch pGina too as stock one was crashing on us. Once we've
> > been able to polish all the quirks (currently sometimes users are
> > randomly denied access to afs cell on first login) we'll release code
> > and docs somewhere :)
>
> Great.
>
>
> > * Biggest issue with SSO is that it'll only work with apps capable of
> > talking to kfw (firefox, thunderbird, openafs-client, ...), but that's
> > not a problem around here. In theory with Vista clients kfw is capable
> > of writing to system ccache (enabling SSO on IE and the like) but we
> > haven't tried it here.
>
> I did look into running an AD-domain and having it crosstrusting the
> kerberosrealm, corporations do not lose the microsoft-support that way
> (what if $stuff happens!) and authentication also from IE works, see
> http://fluxcoil.net/files/sso_crossrealm_kerberos.htm .
> Having no AD server around like in your solution ofcourse feels
> much more convienient.
> Samba4 should be able to play that role in future.
>
>
> Christian
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080812/62cb042d/attachment.htm>
More information about the Freeipa-devel
mailing list