<div dir="ltr"><div><div> From: Alexander Bokovoy <abokovoy redhat com> To: Sumit Bose <sbose redhat com> Cc: freeipa-users redhat com Subject: Re: [Freeipa-users] Trust services Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) ----- Original Message ----- > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > I would like to know, if having configured trusts services between FreeIPA > > and Active Directory, allow AD users to authenticate in services that are > > only configured to authenticate against FreeIPA. > > > > For example, having configured the trusts, if I have a mail server that is > > using FreeIPA as its authentication method, can a user A from Active > > Directory, who does not exist in FreeIPA, authenticate in the mail server?. > > It depends a bit on how the users authenticate exactly because IPA > offers Kerberos and LDAP authentication. > > Kerberos should work out of the box because thats one of the trusts > components, trusting Kerberos tickets from the other domain/realm. > > For LDAP authentication you should be able to find the users from the > trusted domain in the compat tree below > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > do a LDAP bind with the DN form the compat tree and the password used in > AD. Please note that the latter is valid only for FreeIPA 3.3 and later. FreeIPA 3.0 does not support authentication over LDAP in the compat tree. -- / Alexander Bokovoy </div>Ok. I will definitively use Kerberos. But looking at the diagram of page 22 in <a href="http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf">http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf</a> I see that SSSD in the GNU/Linux host is authenticating against both Active Directory and FreeIPA. Does the email server that I mentioned before, have to be configured in a similar way that SSSD in the GNU/Linux host of the example? Or is just enough that it is configured against the FreeIPA Kerberos and nothing else?. </div>Thanks very much. </div>