[Freeipa-users] Re : RE: Re : Re: Re : Re: Some interrogations about the freeipa deployment
Alexander Bokovoy
abokovoy at redhat.com
Thu Jan 24 17:29:39 UTC 2013
On Thu, 24 Jan 2013, Bob Sauvage wrote:
>I'll give your a concrete example:
>
> A developer is connected on his laptop with Windows 7. At startup,
> he's prompted to login to the domain with his credentials. These
> credentials are verified by the RHEL server running IPA. Credentials
> are correct and the user is logged in the domain. => At this point, is
> this possible ?
Not directly by IPA. You need to use pGINA and its Kerberos plugin
configured against IPA KDC to allow Windows workstations to obtain
Kerberos tickets from IPA KDC on user's logon. Your Windows workstation
users will need to have same names as IPA domain users and would only
exist for the purpose of logon.
There were discussions about using pGINA with FreeIPA few years ago, you
may search this list mailing archive for details. pGINA has improved
since then.
> Now, this user wants to connect through SSH to a RHEL server (another
> IPA client). He uses PUTTY and he is connecting to the server, no
> login/password is required, the authentication is done over his IPA
> connection. => Is this possible ?
With Kerberos ticket from IPA KDC available it is possible.
> Now, once connected on the RHEL server, he wants to use the command
> "reboot now" but this one is not authorized by the IPA server for this
> user on this server. => Is this possible ?
'sudo reboot now', that's possible.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list