[Freeipa-users] Windows Kerberos auth to IPA
Johan Venter
mythtv at vulturest.com
Fri Oct 10 00:26:52 UTC 2008
Simo Sorce wrote:
> On Thu, 2008-10-09 at 10:19 +1000, Johan Venter wrote:
>> I'm at a bit of a loss. It seems I need a password on the host principal
>> to make this work, but IPA is completely engineered to not allow that.
>> What should I do?
>
> The latest ipa-getkeytab should allow you to specify a password.
Ok, that's great, however I'm not sure what I should do. I have
configured IPA on a large number of CentOS servers by compiling RPMS
from the RedHat SRPMS.
How would I go about getting this latest version (can I just update the
one executable or do I have to find a way to update the whole of IPA?)
onto a server so I can use ipa-getkeytab to give a host principal a
password?
If there's a manual route I can take, that would be far preferable to
updating all of these machines to the latest IPA that is not already in
SRPMS - or are there more recent SRPMS I can compile from?
I apologise if these seem dumb questions, I'm quite new to IPA (and
Kerberos/LDAP in general) and have made plenty of progress to the point
where all the CentOS servers are working fine, just need to get over
this hump with Windows.
>> Also, if I ever get sign-on working, what can I do about access control?
>> In Linux I can use /etc/security/access.conf and sudoers to provide
>> reasonable access to only specific groups - I wonder how can I map my
>> sysadmins LDAP group to Administrator in Windows and will this will have
>> the same effect?
>
> You need to tweak user privileges, but this would be a per machine
> option. As all users and groups will be local to the windows machine.
> Windows do not have any way to get users from a remote server unless it
> is a Windows Domain Controller.
OK, as I understand ksetup I can map certain Kerberos users to local
accounts on the Windows machine - what I would like achieve is some
dynamic way to map a whole group to the local Administrator account as
that would satisfy my current objective (that is, giving system
administrators single sign on to Windows machines with the same username
and password they use on the Linux servers) without having to map each
user individually (as the members of the sysadmin group could change
regularly).
I realise that a 'group' is really an LDAP construct and not a Kerberos
one, but I'm truly hoping there is a way to do this.
Alternatively, am I going about this whole thing wrong? Is there a
better way to achieve single sign-on through IPA infrastructure on
Windows? Perhaps using Samba as a domain controller and authenticating
through it?
It seems crazy to me that if I had an AD server I could happily get
Windows to log in users that do not exist on the local machine with
certain privileges, why can I not seem to achieve the same thing without AD?
Regards,
Johan
More information about the Freeipa-users
mailing list