[Freeipa-devel] freeIPA and NIS

Angel Marin anmar at anmar.eu.org
Tue Aug 12 11:50:57 UTC 2008 

We sync freeipa groups with openafs groups and memberships (simple 
script) so permissions are managed as a regular openafs thing. openafs 
client honors those perms just fine based on the logged in principal. So 
'local' users are only used for the workstation login, no need to use 
windows groups for anything :)

They still can't create local shared folders in the regular way, but if 
everything is in the afs cell, every user can have folders with access 
granted to whoever they (or you) want. It's just a training problem :)

In the broad sense it feel like a more convoluted setup, but it's order 
of magnitude nicer/easier to have linux home dirs on the same file 
servers as the windows ones while everyone is authenticating to a single 
freeipa realm :) Having the flexibility & network caching performance of 
openafs gives great value for remote & home offices setups too; but YMMV :)

Considering Samba4 ships with it's own ldap-server implementation and 
doesn't work with a regular MIT kdc AFAIK, I'm not sure it would be 
cleaner in any way ;)

Ahmed Kamal wrote:
> I played with pGina before, it was great, but the only limitation I 
> faced was that Windows does not "see" other users and groups. Logged in 
> users are created to be "local" users, which means one can't created 
> shared folders, and apply permissions and such. Is this resolved by 
> using open-afs (I've never touched that) ? If so, that would really 
> rock! I'd even prefer that to a samba4 solution!
> 
> On Tue, Aug 12, 2008 at 1:40 PM, Christian Horn <chorn at fluxcoil.net 
> <mailto:chorn at fluxcoil.net>> wrote:
> 
>     On Tue, Aug 12, 2008 at 11:43:14AM +0200, Angel Marin wrote:
>      > (sorry for the off-topic, but it might be of interest for people
>      > planning on moving to freeipa)
> 
>     Seeing what you implemented i guess it fits to @freeipa :)
> 
> 
>      > We do auth through a home made pGina plugin that does kerberos
>     auth and
>      > ensures openafs (roaming profiles and user dirs are in the afs
>     cell) is
>      > ready; looking up user info in ldap, ensuring clock is in sync and
>      > enabling password change are in the works. Finally kfw and openafs
>      > integrated logon plugin takes care of actual tickets for user
>     session so
>      > there's SSO*.
>      >
>      > We've had to patch pGina too as stock one was crashing on us.
>     Once we've
>      > been able to polish all the quirks (currently sometimes users are
>      > randomly denied access to afs cell on first login) we'll release code
>      > and docs somewhere :)
> 
>     Great.
> 
> 
>      > * Biggest issue with SSO is that it'll only work with apps capable of
>      > talking to kfw (firefox, thunderbird, openafs-client, ...), but
>     that's
>      > not a problem around here. In theory with Vista clients kfw is
>     capable
>      > of writing to system ccache (enabling SSO on IE and the like) but we
>      > haven't tried it here.
> 
>     I did look into running an AD-domain and having it crosstrusting the
>     kerberosrealm, corporations do not lose the microsoft-support that way
>     (what if $stuff happens!) and authentication also from IE works, see
>     http://fluxcoil.net/files/sso_crossrealm_kerberos.htm .
>     Having no AD server around like in your solution ofcourse feels
>     much more convienient.
>     Samba4 should be able to play that role in future.
> 
> 
>     Christian
> 
>     _______________________________________________
>     Freeipa-devel mailing list
>     Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 


-- 
Angel Marin
http://anmar.eu.org/

More information about the Freeipa-devel mailing list