[Freeipa-users] Active Directory Integration and limitations
Domineaux Philippe
pdomineaux at gmail.com
Wed Nov 18 10:46:40 UTC 2015
Here is my environment :
1 Windows Domain
Windows workstations
Windows servers
Multiple linux domains
Linux workstations
Linux servers
Here is my goal :
All users are centralized in the Active Directory.
Users will authenticate on linux workstations with their AD accounts (
using POSIX attributes).
Linux workstations must have access to NFS shares on Linux servers.
What are the limitations ?
Windows users equals ipa users in term of services ?
Do I have to configure kerberos to also join directly the Windows Kerberos
Realm,
or will IPA do the job to ask Windows server ?
in etc/krb5.conf :
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
canonicalize = yes
allow_weak_crypto = true
[realms]
IPA.ORG = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@
$0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/
auth_to_local = DEFAULT
}
### IS THIS NECESSARY
WINDOMAIN.LOCAL = {
kdc = srvadipa.windomain.local
admin_server = srvadipa.windomain.local
}
[domain_realm]
.cosmo.org = COSMO.ORG
cosmo.org = COSMO.ORG
### IS THIS NECESSARY
.windomain.local = WINDOMAIN.LOCAL
windomain.local = WINDOMAIN.LOCAL
Is the bug in libnfsidmap still active and prevents Windows users to access
to
NFS4 krb5 secured shared folder ?
I currently have
bug here:
https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151118/7c334f92/attachment.htm>
More information about the Freeipa-users
mailing list