[Freeipa-users] IPA AD Trust issue
KevinTang at umac.mo
KevinTang at umac.mo
Wed Sep 11 06:20:05 UTC 2013
Dear Alexander,
If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will
all user account in Windows AD 'copy' to IPA AD, and my IPA client can
logon with Windows AD username only? (only use 'userA' to login directly,
not 'userA at win_ad.com').
Or after replication, can I use IPA account logon Windows Client PC only
with ipa username? (only use 'userB' logon, rather than 'userB at ipa_ad.com'
to logon).
Thank you very much
Kevin Tang
From: Alexander Bokovoy <abokovoy at redhat.com>
To: KevinTang at umac.mo
Cc: freeipa-users at redhat.com
Date: 09/11/2013 12:52 PM
Subject: Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, KevinTang at umac.mo wrote:
>Dear all,
>
>I am new to IPA and have some question about set up.
>I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4
>64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and
>Windows AD already have 2-ways trusted. Windows AD user can logon under
>IPA client PC.
>
>I have 3 question about further setup.
>
>1) IPA Client Login issue.
>In IPA client, if Windows AD user want to login, It need to type full
name
>such as 'userA at win_ad.com'. How do I let Windows AD user logon only with
>their username? That means only use 'userA' to logon IPA Client PC rather
>than 'userA at win_ad.com' ?
Not supported. There could be some obscure SSSD setting to allow one
SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD
domains are represented as subdomains of a single IPA provider, full UPN
is
used to distinguish and discover which subdomain they belong to for
performance reasons.
>2) Windows Login issue.
>I want to logon under Windows AD Client PC (Client PC's OS is Windows 7),
>Since this Windows PC already join win_ad domain, it can allow Windows AD
>domain user to logon. But when I try to logon IPA user, for example,
logon
>as 'userB at ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are
>currently no logon servers available to service the logon request.' and
>does not allow IPA user to logon. How do I do now? I need to modify
>Windows AD setting? or Windows client PC setting?
We do not support this mode yet, it requires implementation of Global
Catalog service on IPA side which is not done yet. Plans for doing that
are in Fedora 20-21 time frame.
>3) Windows Login issue.
>Can I login under Windows AD Client PC with IPA username only (not
include
>IPA domain)? that is, only use 'userB' as username to login?
No. Only users from the domain Windows PC is joined to could be logged
without explicit domain name. Since IPA domain belongs to a separate
forest, you cannot log in without explicit domain prefix. Please note,
even
that will only be possible when we implement Global Catalog service on
IPA side.
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130911/e590f134/attachment.htm>
More information about the Freeipa-users
mailing list