[Freeipa-users] Updated doc, synchronization question

Alexander Bokovoy abokovoy at redhat.com
Fri Jan 10 00:51:08 UTC 2014 

On Thu, 09 Jan 2014, Orion Poplawski wrote:
>On 01/09/2014 06:07 AM, Martin Kosek wrote:
>> On 01/08/2014 07:16 PM, Orion Poplawski wrote:
>>> Two questions:
>>>
>>> - Any ETA on an updated 3.3.3 Users Guide?
>>
>> Our current plan is to release next documentation release along with FreeIPA
>> 3.4, when more documentation fixes are factored in.
>>
>> Just in case you would like to check the most recent status of the
>> documentation work (or even help us with it), this page describes the details
>>
>> http://www.freeipa.org/page/Contribute/Documentation
>>
>> including instructions how to build HTMLs out of our git tree.
>>
>
>Thanks, I'll take a look.
>
>>> - Is AD/IPA synchronization still supported in 3.3.3?  Will it always?
>>
>> The AD/IPA synchronization is supported only in terms in bug fixes. As for the
>> enhancements, the FreeIPA core team is focusing on the AD trusts:
>>
>> http://www.freeipa.org/page/Trusts
>>
>> (That does not mean we are not open to contributions from the community)
>>
>> Martin
>>
>
>Thanks for the that link - the video was helpful.  Although I'm afraid that is
>making me lean towards implementing the not recommended "split brain"
>approach.  Although one thing that is not clear to me is weather doing this
>consumes CALs for the linux machines since they authenticate against AD.
Linux machines do not authenticate against AD DC in single sign-on case. 
Instead, usually Windows users obtain their Kerberos TGT upon logon to
Windows machines and then use it to obtain tickets to services on Linux
machines, by obtaining cross-realm TGT from AD DC and presenting it to
IPA KDC as a proof. So in single sign-on case it works fine --
authentication against AD happens on AD side.

Of course, when AD users attempt to log in with password to IPA
resources, SSSD would perform communication with AD DC to obtain TGT on
their behalf. There is AD DC involved in making a decision whether
this AD user is allowed to authenticate. On Kerberos level, however,
there are no limitations from where the authentication request comes
(unless it is restricted with the firewalls). CALs play role on using
Windows resources after authentication happened but in IPA AD trusts
case currently only IPA resources can be consumed by AD users, IPA users
cannot yet consume Windows resources and therefore get assigned rights
to access them.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list