[Freeipa-users] possible to use a different kerberos server for some users?

[Brian Wheeler]

Hello!

So here's the situation I'm in.  The university has its AD domain locked 
down pretty tight -- getting  a trust is out of the question, creating 
new users isn't allowed, and they seem to have no interest in supporting 
linux management.

I'd like to be able to leverage the AD kerberos server but manage users 
locally.

So here's what I'm thinking about doing:  putting my site users/groups 
and copies of the relevant AD users into IPA.  The site users would have 
UIDs > 1 billion and the users from AD would have whatever unixuid 
attribute they have (only the uid is stored in AD -- they didn't do a 
full posix setup).  The IDs will not conflict with each other, so I'm 
set there.

I'd have two entries in sssd.conf:  one entry would have a min/max id 
matching the AD users and the other would be 1 billion+ to match the 
local users/groups.  The AD range would use the university's AD kerberos 
for authentication and IPA for everything else.  The other would use IPA 
normally.

I was able to get this working successfully when setting up 389 manually 
by using two nearly identical configs in sssd and making the AD one 
resolve first, but I can't seem to figure out the magic chant for making 
it work with IPA.

So, is something like this even possible?  Is there a better way to be 
able to use IPA and stay out of the password business for the real users 
of my system?  If it comes down to it, I'll manually set up 389 and do 
it the way I prototyped it, but I'd really like to have something 
resembling a "standard" build.  This is all on RHEL6.  If a newer 
version of IPA is required I'd be ok with installing it.

Brian