[Freeipa-users] FreeIPA for Linux desktop deployment
Stephen Gallagher
sgallagh at redhat.com
Mon May 9 13:43:20 UTC 2011
On Mon, 2011-05-09 at 09:38 -0400, Adam Young wrote:
> On 05/09/2011 09:12 AM, Dmitri Pal wrote:
> > On 05/08/2011 07:39 PM, Adam Young wrote:
> > > On 05/08/2011 06:20 AM, nasir nasir wrote:
> > > >
> > > > Thanks indeed again for the reply. I went through the deployment
> > > > guide and installed and configured FreeIPA 2.0 on a RHEL 6.1
> > > > beta machine for testing. I also configured the browsers on this
> > > > server and a client Kubuntu machine as per the guide. But I
> > > > can't find any doc which explain how to configure a client
> > > > (kubuntu in my case) for single sign on or even accessing a
> > > > service like nfs using the browser when native ipa-client
> > > > package is not available. All the docs are focused on
> > > > configuring client machines using ipa-client package. Is this
> > > > possible? if so could anyone suggest me some guide lines or docs
> > > > for the same ?
> > >
> >
> > Does the client have SSSD?
> > If it does making ipa-client work is probably the best path.
> >
> > If the SSSD is not an option then you are in the realm of PAM_KRB5
> > for the SSO.
> > Please see the FreeIPA 1.2.1 documentation. There is no exact
> > documentation ofr your case but the closest IMO would be the
> > instructions for the Solaris client.
> > http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html
> >
> > Also see man pages for pam_krb5.
> > Hope this helps.
> >
> > Thanks
> > Dmitri
>
>
> According to Stephen, Ubuntu has an older version of sssd available.
> Even Debian sid only has 1.2.1
>
> http://packages.debian.org/unstable/main/sssd
SSSD 1.2.1 has some caveats with IPA usage. Mostly because the HBAC
format changed in the final FreeIPA v2. SSSD 1.2.1 had been released
with the older format, so it won't work.
However, it should be possible to set up SSSD 1.2.1 for use with FreeIPA
if they set 'access_provider = allow' (instead of 'access_provider =
ipa')
However, it WILL require a few manual steps to set up, notably the
acquisition of the host keytab.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110509/e1887ff3/attachment.sig>
More information about the Freeipa-users
mailing list