[Freeipa-users] AD/IPA login compatibility

Dmitri Pal dpal at redhat.com
Thu Feb 5 12:18:39 UTC 2015 

On 02/05/2015 04:44 AM, Alexander Bokovoy wrote:
> On Thu, 05 Feb 2015, Dmitri Pal wrote:
>> On 02/04/2015 03:01 PM, Hugh wrote:
>>> On 1/29/2015 4:26 PM, Dmitri Pal wrote:
>>>> How are the domains connected? Do you use trust or sync?
>>> Trust. We wanted to have just one account and not need to install
>>> additional software on the AD servers if possible.
>>>
>>>>> 1) Is it possible to log into a workstation that's been joined to a
>>>>> domain with IPA credentials?
>>>>>
>>>> You mean can I access a Windows workstation joined to AD domain by 
>>>> user
>>>> from IPA domain?
>>>> No it is not implemented. It will require Global Catalog support in 
>>>> IPA.
>>> Out of curiosity, then why can we do this with the regular Kerberos?
>>
>> With pure Kerberos the system is not "joined".
>> Also the user ticket acquired from IPA does not have authorization 
>> data - PAC to be of any meaning in the realm.
>> You need global catalog for this.
>>
>> So you can take your Windows system, put MIT Kerberos for Windows on 
>> it and a user from IPA will be able to authenticate to IPA.
>> I am not sure you will be able to use trusts and authenticate AD 
>> users too, but I am not aware whether anyone tried.
>> Kerberos libraries for Windows might be too old for this to work 
>> properly. But I am not sure.
> No, it will not work. Active Directory has a global list of trusted
> domains/forests and they are keyed by name. If you do trust to IPA as
> MIT Kerberos trust, it will not allow you to create trust to IPA as
> cross-forest trust because both will be set with the same name.

We are not talking about MIT kerberos server here.
Just the Kerberos client libraries for Windows, so I think it might work.
The comment you have applies to MIT KDC not to clients.

>
>
>> You can set default domain in sssd and then when you use a short name 
>> it will append it.
>> But for other domains you would have to spell names out.
> This is unsupported for legacy clients and for IPA masters. On IPA
> masters we rely to have AD users fully qualified as this is what
> triggers name resolution for AD users in the compat tree.
>
Yes. But the question was about clients.
On clients you can set a default domain. It is not recommended but if 
you do not have IPA users and only one AD domain that is the way to 
reduce typing of the whole fully qualified name.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list