[Freeipa-users] AD/IPA login compatibility

Dmitri Pal dpal at redhat.com
Thu Jan 29 22:26:29 UTC 2015 

On 01/29/2015 04:39 PM, Hugh wrote:
>
> All,
>
> I've been trying to get our new AD environment and our existing IPA 
> environment all happy, but am having little luck. To start, our info 
> and a few questions:
>
> IPA servers running CentOS 6.5 and ipa-server-3.0.0-42
> Windows DC servers running Windows Server 2012
>
> Anonymized domain info:
> IPA NetBIOS domain: IPA
> IPA DNS domain: domain.com <http://domain.com>
> WIN NetBIOS domain: AD
> WIN DNS domain: win.domain.com <http://win.domain.com>
>
> AD environment using itself for DNS, IPA environment using external 
> DNS (Cobbler/Bind). The appropriate _tcp, _ldap, etc. DNS entries have 
> been created in the domain.com <http://domain.com> domain in Bind. I 
> have set up users in IPA and AD with the same username and added a 
> name mapping in AD to username at DOMAIN.COM <mailto:username at DOMAIN.COM>.
>
>

How are the domains connected? Do you use trust or sync?


> 1) Is it possible to log into a workstation that's been joined to a 
> domain with IPA credentials?
>

You mean can I access a Windows workstation joined to AD domain by user 
from IPA domain?
No it is not implemented. It will require Global Catalog support in IPA.

> 2) If so, what are the minimum requirements for that? Do I need to run 
> FreeIPA 3.3 on CentOS 7? FreeIPA 4 on Fedora? Something else?
>
> 3) Is there any way to log into the domain workstation with the 
> NetBIOS domain and username and have it authenticate against the IPA 
> environment? As in AD\username instead of username at DOMAIN.COM 
> <mailto:username at DOMAIN.COM>? If only the latter will work, will users 
> be able to map drives and access other AD resources without being 
> prompted for username/pass?

You seem to be looking for the full mutual trust capability. It is not 
there yet.
Help is welcome!

>
> 4) For initial setup of users, do the passwords for the AD and IPA 
> accounts need to be the same? Will a password change in the Windows 
> environment change the IPA password?

If you use sync then users and passwords are synced.
If you use trust, users stay where they are created (in AD or in IPA) 
and client is redirected to the AD or IPA domain the user is created in.

>
> Any other hints, etc. for how to get this all working would be 
> appreciated. I've gone through the FreeIPA AD Trust page(s) and 
> various other sources, but am unclear on how things should work and 
> whether or not I'm doing something wrong. Our old Windows 2003 domain 
> is authenticating fine against MIT Kerberos, so I'm rather surprised 
> how difficult this is proving to be.

If you just want to use IPA for windows you for now have to use the same 
Kerberos setup on Windows workstations as you have in the old domain.
The main point if IPA is to server Linux clients not to replace AD. The 
AD can be replaced with Samba 4 and we are working on making it support 
trusts with IPA.
>
> Many thanks in advance,
>
> Hugh
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150129/55021da4/attachment.htm>

More information about the Freeipa-users mailing list