[Freeipa-users] possible to use a different kerberos server for some users?
Brian Wheeler
bdwheele at indiana.edu
Thu Jun 20 21:35:14 UTC 2013
Hello!
So here's the situation I'm in. The university has its AD domain locked
down pretty tight -- getting a trust is out of the question, creating
new users isn't allowed, and they seem to have no interest in supporting
linux management.
I'd like to be able to leverage the AD kerberos server but manage users
locally.
So here's what I'm thinking about doing: putting my site users/groups
and copies of the relevant AD users into IPA. The site users would have
UIDs > 1 billion and the users from AD would have whatever unixuid
attribute they have (only the uid is stored in AD -- they didn't do a
full posix setup). The IDs will not conflict with each other, so I'm
set there.
I'd have two entries in sssd.conf: one entry would have a min/max id
matching the AD users and the other would be 1 billion+ to match the
local users/groups. The AD range would use the university's AD kerberos
for authentication and IPA for everything else. The other would use IPA
normally.
I was able to get this working successfully when setting up 389 manually
by using two nearly identical configs in sssd and making the AD one
resolve first, but I can't seem to figure out the magic chant for making
it work with IPA.
So, is something like this even possible? Is there a better way to be
able to use IPA and stay out of the password business for the real users
of my system? If it comes down to it, I'll manually set up 389 and do
it the way I prototyped it, but I'd really like to have something
resembling a "standard" build. This is all on RHEL6. If a newer
version of IPA is required I'd be ok with installing it.
Brian
More information about the Freeipa-users
mailing list