[Freeipa-users] Bi directional login with AD trusts
Alexander Bokovoy
abokovoy at redhat.com
Wed Dec 30 16:28:58 UTC 2015
On Wed, 30 Dec 2015, Anon Lister wrote:
>Hello,
>
>New to list. This is kind of a followup to the post here:
>https://www.redhat.com/archives/freeipa-users/2015-January/msg00351.html
>
>We are one of the odder shops that runs almost entirely linux, but the need
>to support some windows stuff that requires AD has come up. We have things
>setup as domain.com (NetBIOS name: DOM), with ipa.domain.com and
>ipa-replica.domain.com.
>
>We just added win.domain.com with a windows DC on ad.win.domain.com (NB
>Name: WIN).
>
>We are running EL 6.7/ipa 3.0.0. we got the trust setup working, can
>confirm we can mount (tesT) shares from IPA to windows domain, can login to
>the linux boxes with windows user credentials, but have been unable to
>figure out how to login to the windows boxes with ipa credentials (this was
>really our primary use case, as everything is managed in IPA and hits it
>for authentication, we were hoping to not have to manage 2 sets of accounts
>for the people needing windows, two places to update passwords, etc.).
>
>Is there support for bidirectional login in newer FreeIPA? I found the
>above thread that seemed to suggest you could not use IPA credentials for
>logging into the windows domain. Has this changed at all? We would be
>willing to look at upgrading to EL7 (or, id rather not, but even Fedora
>Server, if we can get this feature). If not is it down the pipeline?
Nothing changed. It is down the pipeline but implementation of it
depends on multiple factors so current plan is 'next major update' but
not fixed in time. It is not an easy feat.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list