[Freeipa-users] Migration from FreeIPA 1.2.1 to 2

[Steven Jones]

Quickly as Im late.

We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneath....A windows client in our domain can then connect to a school resource where its connected to the school's centralised setup....

So its possible, yes.

Not with freeipa from what Ive seen posted, yet...next version I am assuming so.

regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Christian Horn [chorn at fluxcoil.net]
Sent: Thursday, 26 May 2011 3:20 p.m.
To: Erinn Looney-Triggs
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote:
> On 05/25/2011 01:21 PM, Steven Jones wrote:
> >
> > As far as I am aware Windows clients can only authenticate against ADs.  So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA.
> No Windows clients can auth against kerberos realms directly and so
> should be able to auth again an IPA server as well. It is slightly
> complicated and difficult to manage but it can be done.

True, but does not help with the clients fetching ldap data.
I think the cross realm setup is a good idea if one wants to run Windows
clients and use SSO together with kerberized services on linux/unix:

- the windows clients stay hooked up to an AD, so in a supported
environment
- from following mailinglists I had the impression Microsoft seems to
support the scenario
- the linux/unix servers can use the IPA and benefit from proper de-
bugging tools, having their server OpenSourced etc.

Christian

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users