<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 04/02/2013 01:57 AM, <a class="moz-txt-link-abbreviated" href="mailto:Pekka.Panula@sofor.fi">Pekka.Panula@sofor.fi</a> wrote:
<blockquote
cite="mid:OF0846435B.893C0720-ONC2257B41.001F8444-C2257B41.0020B0C4@sofor.fi"
type="cite"><tt><font size="2">> From: Dmitri Pal
<a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><dpal@redhat.com></a></font></tt>
<br>
<tt><font size="2">> >> I want also my AD users (from IPA
trust)
to login inside thru ssh but <br>
> >> afaik this seems to have some older SSSD version
and same
configuration <br>
> >> options that goes ok with CentOS 6 ipa-client
wont work with
CentOS 5. <br>
> >><br>
> >> So what should i modify that i can login to my
CentOS 5 machine
that i can <br>
> >> to login AD trust users from IPA? Is there newer
SSSD daemon
available for <br>
> >> centos 5?<br>
> >><br>
> > No, it is not and it would be quite hard to build
it, I think.
You'd<br>
> > need pretty recent version of Kerberos to support
the PAC responder
that<br>
> > handles users coming via trusts for instance.<br>
> <br>
> Yes this is quite a problem with the current solution.<br>
</font></tt>
<br>
<tt><font size="2">Is there any guides for rhel 5.x/centos 5.x
when using
IPA and if that same </font></tt>
<br>
<tt><font size="2">system needs also AD users logins enabled,
should
we just enable some PAM module </font></tt>
<br>
<tt><font size="2">and all works if SSSD/IPA is also used?</font></tt>
<br>
</blockquote>
<br>
You would need to backport 1.9 to rhel 5/centos 5<br>
AFAIR you can still build those for RHEL5 (I mean 1.9 can still be
built on RHEL5) but you also need to build all the dependencies
(samba, kerberos etc. and those would be quite a challenge).<br>
<br>
Ping jhrozek on #sssd on free node if you need more details, but it
is a big endeavor so be prepared for a tough journey.<br>
<br>
<blockquote
cite="mid:OF0846435B.893C0720-ONC2257B41.001F8444-C2257B41.0020B0C4@sofor.fi"
type="cite">
<br>
<tt><font size="2">> But we are looking for some ways to
mitigate
that.<br>
> Question for you about the older systems:<br>
> <br>
> What would you prefer: those systems pointing to IPA and
IPA having
a<br>
> way to serve account and authentication or point them
directly to
AD?<br>
> Do you require kerberos authentication and SSO from those
machines
or<br>
> simple LDAP authentication is OK?<br>
> Do you have a requirement for all the authentications to
actually
happen<br>
> in AD for audit purposes or they can happen in IPA when
users come
from<br>
> the old clients and in AD with trusts when users access
newer clients?<br>
> <br>
> Thanks for the input!<br>
> <br>
> Dmitri<br>
</font></tt>
<br>
<tt><font size="2">For me, would be good if all comes from (thru)
IPA,
but thats not </font></tt>
<br>
<tt><font size="2">an requirement for me.</font></tt>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>