[Freeipa-users] AD/IPA login compatibility

Dmitri Pal dpal at redhat.com
Thu Feb 5 07:25:17 UTC 2015 

On 02/04/2015 03:01 PM, Hugh wrote:
> On 1/29/2015 4:26 PM, Dmitri Pal wrote:
>> How are the domains connected? Do you use trust or sync?
> Trust. We wanted to have just one account and not need to install
> additional software on the AD servers if possible.
>
>>> 1) Is it possible to log into a workstation that's been joined to a
>>> domain with IPA credentials?
>>>
>> You mean can I access a Windows workstation joined to AD domain by user
>> from IPA domain?
>> No it is not implemented. It will require Global Catalog support in IPA.
> Out of curiosity, then why can we do this with the regular Kerberos?

With pure Kerberos the system is not "joined".
Also the user ticket acquired from IPA does not have authorization data 
- PAC to be of any meaning in the realm.
You need global catalog for this.

So you can take your Windows system, put MIT Kerberos for Windows on it 
and a user from IPA will be able to authenticate to IPA.
I am not sure you will be able to use trusts and authenticate AD users 
too, but I am not aware whether anyone tried.
Kerberos libraries for Windows might be too old for this to work 
properly. But I am not sure.


>
>> If you just want to use IPA for windows you for now have to use the same
>> Kerberos setup on Windows workstations as you have in the old domain.
> Do you mean use regular MIT Kerberos instead of FreeIPA, or configure
> the Kerberos portion of FreeIPA like we had it in our old domain?

I mean configure MIT Kerberos for Windows on the Windows client.

>
> On a semi-related note, is there a way to be able to log into a Linux
> workstation with an AD account without having to specify the AD domain?
> In other words, ssh to a server with <username> instead of
> <username at ad.domain.com>.

You can set default domain in sssd and then when you use a short name it 
will append it.
But for other domains you would have to spell names out.

>
> Thanks again in advance,
>
> Hugh
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list