[Freeipa-users] FreeIPA, Windows and Kerberos
Petr Spacek
pspacek at redhat.com
Mon Oct 26 08:36:33 UTC 2015
On 23.10.2015 22:31, Alexander Bokovoy wrote:
> On Fri, 23 Oct 2015, Randolph Morgan wrote:
>> We are running a mixed environment network. However, all of our
>> authentication is performed via LDAP, we do not have an AD on our network,
>> nor do we have any Windows servers, all of our servers are running RHEL. We
>> are working on implementing a new authentication server that is running
>> FreeIPA, but would like to do single sign-on via Kerberos. I have been
>> reading posts for the better part of two weeks and can not find instructions
>> that work, on how to get Windows (XP - 10) to authenticate via Kerberos.
>> Here is a list of some of the sites that I have looked at:
>>
>> https://support.microsoft.com/en-us/kb/837361
>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2573486
>>
> These are irrelevant for the configuration of FreeIPA with machines post
> Windows 7.
>
>> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
> This document still stands. Namely, we do not support joining Windows
> machines to FreeIPA domain.
In other words, you really need an AD or Samba 4 server (with cross-forest
trust support, if it was released already ...) to get proper integration
between FreeIPA and Windows world.
The main limitation is that FreeIPA currently lacks support for Global Catalog
so you will not be able to log-in into Windows workstations using credentials
from FreeIPA. It will work the other way around.
I hope this helps.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list