[Freeipa-users] Active Directory Integration and limitations

[Domineaux Philippe]

Here is my environment :

1 Windows Domain
Windows workstations
Windows servers
Multiple linux domains
Linux workstations
Linux servers

Here is my goal :

All users are centralized in the Active Directory.
Users will authenticate on linux workstations with their AD accounts (
using POSIX attributes).
Linux workstations must have access to NFS shares on Linux servers.


What are the limitations ?
Windows users equals ipa users in term of services ?

Do I have to configure kerberos to also join directly the Windows Kerberos
Realm,
or will IPA do the job to ask Windows server ?

in etc/krb5.conf :

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.ORG
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
  canonicalize = yes
  allow_weak_crypto = true

[realms]
  IPA.ORG = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    auth_to_local = RULE:[1:$1@
$0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/
    auth_to_local = DEFAULT

  }

### IS THIS NECESSARY
WINDOMAIN.LOCAL = {
               kdc = srvadipa.windomain.local
               admin_server = srvadipa.windomain.local
}


[domain_realm]
  .cosmo.org = COSMO.ORG
  cosmo.org = COSMO.ORG

### IS THIS NECESSARY

  .windomain.local = WINDOMAIN.LOCAL
  windomain.local = WINDOMAIN.LOCAL




Is the bug in libnfsidmap still active and prevents Windows users to access
to
NFS4 krb5 secured shared folder ?

I currently have

bug here:
https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151118/7c334f92/attachment.htm>