[Freeipa-users] One way trusts
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 15 08:44:16 UTC 2014
On Wed, 15 Jan 2014, Petr Spacek wrote:
>>The very same is needed for IPA side. I think we already had discussion
>>on this list how to setup SSSD with two different domains pointing to
>>different Kerberos realms last week but in that case there were
>>non-overlapping DNS namespaces for both Kerberos realms.
>>
>>Now, when an SSH client (PuTTY) on win.example.com will want to connect
>>to lnx.example.com, AD DC on dc.example.com would issue Kerberos ticket
>>to service host/lnx.example.com at EXAMPLE.COM based on own AD credentials.
>>One will be able to login with this ticket to lnx.example.com but
>>nothing from IPA side will apply here: sudo and HBAC rules don't know
>>anything about these users and authentication source.
>>
>>In such situation what I question is the need for IPA deployment at all.
>>If all users will be coming from AD and they are not visible to IPA and
>>not using IPA features, why to spend time with FreeIPA at all?
>
>I think that the requirement is to have two distinct sets of users
>while you don't have control over one set (AD users) but you have to
>manage the other set (IPA users) somehow.
I'm yet to see what is the benefit over having only IPA users. Given
single sign-on wasn't a concern, it makes no difference then to specify
IPA's user name during logon from AD machines, so no integration would
really be needed.
An attempt to keep users in AD but use IPA features is really asking for
collaboration between the two infrastructure setups.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list