[Freeipa-users] About Windows client

Dmitri Pal dpal at redhat.com
Fri Mar 21 15:20:48 UTC 2014 

On 03/20/2014 11:15 PM, Arthur Faizullin wrote:
> HI!
> I've got some thoughts on 4-th point: there is a http://pgina.org/ pgina
> project, may be them are able to do such thing.

Yes pgina is one of the options.
Someone would have to take it and integrate with MIT Kerberos for 
Windows if it is not already doing so.
But I suspect that it would be more a project in itself that would 
leverage code from MIT and may be pgina to integrate different parts.
The biggest part figuring out the domain affiliation. I mean the use 
cases like this:
a) The system is domainless but user authentictaes with user name and 
password against IPA
b) The system is domainless but user authentictaes with user name and 
OTP against IPA
c) The system is in an AD domain trusted by IdM domain but user 
authenticates with user name and password against IPA because he is in 
IdM domain.
d) The system is in an AD domain trusted by IdM domain but user 
authenticates with user name and password against IPA because he is in 
IdM domain.

More to research. We can help with guidance if someone wants to run with it.

Thanks
Dmitri

>
> 20.02.2014 04:23, Dmitri Pal пишет:
>> Hello,
>>
>> I want to summarize our position regarding joining Windows systems
>> into IPA.
>>
>> 1) If you already have AD we recommend using this system with AD and
>> using trusts between AD and IPA.
>> 2) If you do not have AD then use Samba 4 instead of it. It would be
>> great when Samba 4 grows capability to establish trusts. Right now it
>> can't but there is an effort going on. If you are interested - please
>> contribute.
>> 3) If neither of the two options work for you you can configure
>> Windows system to work directly with IPA as described on the wiki. It
>> is an option of last resort because IPA does not provide the services
>> windows client expects. If this is good enough for you, fine by us.
>> 4) Build a native Windows client (cred provider) for IPA using latest
>> Kerberos. IMO this would be really useful if someone does that because
>> we will not build this ourselves. With the native OTP support in IPA
>> it becomes a real business opportunity to provide a native 2FA inside
>> enterprise across multiple platforms. But please do it open source way
>> otherwise we would not recommend you ;-)
>>
>>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list