[Freeipa-users] cross domain trust between two IPA servers
Simo Sorce
simo at redhat.com
Tue Aug 7 15:44:42 UTC 2012
On Tue, 2012-08-07 at 16:36 +0100, Johnathan Phan wrote:
> Hi Simo,
>
> This document here implies that this does it.
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html#basic-trust
This document do not apply to Identity Management (FreeIPA in RHEL
speak), it is for a classic Kerberos KDC.
However it is a resonable guide to experiment with trusts.
> However during testing it does not behave as expected.
>
> Do you have any documentation on how SSSD can be configured so that
> when logging in on a server in a.example.com with a users that exists
> in the IPA server responsible for domain b.example.com can happen.
> Only based on the rights the group has in b.example.com.
>
> any reference material on how that could work will help me a long way.
You should look into the fact SSSD can be defined to have multiple
domains.
This means tho that the 'receiving' machines need to be configured for
both realms.
This is one of the gotchas, given the current lack of actual
integration, moving forward when we will have official integration
manual configuration of a separate SSSD domain will not be necessary and
group memberships will work better.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list