[Freeipa-users] About Windows client

Arthur arthur at deus.pro
Sat Mar 22 17:18:26 UTC 2014 

Dmitri Pal wrote:
> On 03/20/2014 11:15 PM, Arthur Faizullin wrote:
>> HI!
>> I've got some thoughts on 4-th point: there is a http://pgina.org/ pgina
>> project, may be them are able to do such thing.
>
> Yes pgina is one of the options.
> Someone would have to take it and integrate with MIT Kerberos for 
> Windows if it is not already doing so.
> But I suspect that it would be more a project in itself that would 
> leverage code from MIT and may be pgina to integrate different parts.
> The biggest part figuring out the domain affiliation. I mean the use 
> cases like this:
> a) The system is domainless but user authentictaes with user name and 
> password against IPA
> b) The system is domainless but user authentictaes with user name and 
> OTP against IPA
> c) The system is in an AD domain trusted by IdM domain but user 
> authenticates with user name and password against IPA because he is in 
> IdM domain.
> d) The system is in an AD domain trusted by IdM domain but user 
> authenticates with user name and password against IPA because he is in 
> IdM domain.
>
> More to research. We can help with guidance if someone wants to run 
> with it.
>
> Thanks
> Dmitri
>
>>
>> 20.02.2014 04:23, Dmitri Pal пишет:
>>> Hello,
>>>
>>> I want to summarize our position regarding joining Windows systems
>>> into IPA.
>>>
>>> 1) If you already have AD we recommend using this system with AD and
>>> using trusts between AD and IPA.
>>> 2) If you do not have AD then use Samba 4 instead of it. It would be
>>> great when Samba 4 grows capability to establish trusts. Right now it
>>> can't but there is an effort going on. If you are interested - please
>>> contribute.
>>> 3) If neither of the two options work for you you can configure
>>> Windows system to work directly with IPA as described on the wiki. It
>>> is an option of last resort because IPA does not provide the services
>>> windows client expects. If this is good enough for you, fine by us.
>>> 4) Build a native Windows client (cred provider) for IPA using latest
>>> Kerberos. IMO this would be really useful if someone does that because
>>> we will not build this ourselves. With the native OTP support in IPA
>>> it becomes a real business opportunity to provide a native 2FA inside
>>> enterprise across multiple platforms. But please do it open source way
>>> otherwise we would not recommend you ;-)
>>>
>>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
My friend agreed to try. He is C# programmer. But the problem that has 
low knowledge about kerberos, GSSAPI, and I could not told him what is 
wrong with current pgina's ldap plugin.
He does not want to subscribe to freeipa mail-lists, so may be I shall 
give him your (Dmitri) e-mail?
He speaks russian :)

More information about the Freeipa-users mailing list