[Freeipa-users] AD/IPA login compatibility

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 5 12:25:55 UTC 2015 

On Thu, 05 Feb 2015, Dmitri Pal wrote:
>On 02/05/2015 04:44 AM, Alexander Bokovoy wrote:
>>On Thu, 05 Feb 2015, Dmitri Pal wrote:
>>>On 02/04/2015 03:01 PM, Hugh wrote:
>>>>On 1/29/2015 4:26 PM, Dmitri Pal wrote:
>>>>>How are the domains connected? Do you use trust or sync?
>>>>Trust. We wanted to have just one account and not need to install
>>>>additional software on the AD servers if possible.
>>>>
>>>>>>1) Is it possible to log into a workstation that's been joined to a
>>>>>>domain with IPA credentials?
>>>>>>
>>>>>You mean can I access a Windows workstation joined to AD 
>>>>>domain by user
>>>>>from IPA domain?
>>>>>No it is not implemented. It will require Global Catalog 
>>>>>support in IPA.
>>>>Out of curiosity, then why can we do this with the regular Kerberos?
>>>
>>>With pure Kerberos the system is not "joined".
>>>Also the user ticket acquired from IPA does not have authorization 
>>>data - PAC to be of any meaning in the realm.
>>>You need global catalog for this.
>>>
>>>So you can take your Windows system, put MIT Kerberos for Windows 
>>>on it and a user from IPA will be able to authenticate to IPA.
>>>I am not sure you will be able to use trusts and authenticate AD 
>>>users too, but I am not aware whether anyone tried.
>>>Kerberos libraries for Windows might be too old for this to work 
>>>properly. But I am not sure.
>>No, it will not work. Active Directory has a global list of trusted
>>domains/forests and they are keyed by name. If you do trust to IPA as
>>MIT Kerberos trust, it will not allow you to create trust to IPA as
>>cross-forest trust because both will be set with the same name.
>
>We are not talking about MIT kerberos server here.
>Just the Kerberos client libraries for Windows, so I think it might work.
>The comment you have applies to MIT KDC not to clients.
>
>>
>>
>>>You can set default domain in sssd and then when you use a short 
>>>name it will append it.
>>>But for other domains you would have to spell names out.
>>This is unsupported for legacy clients and for IPA masters. On IPA
>>masters we rely to have AD users fully qualified as this is what
>>triggers name resolution for AD users in the compat tree.
>>
>Yes. But the question was about clients.
>On clients you can set a default domain. It is not recommended but if 
>you do not have IPA users and only one AD domain that is the way to 
>reduce typing of the whole fully qualified name.
Yep. Just DO NOT DO it on IPA masters or life of your legacy clients
will be miserable.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list