[Freeipa-users] IPA-AD Login

[Coy Hile]

> On Feb 7, 2016, at 2:05 PM, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> 
> On Thu, 04 Feb 2016, Alan P wrote:
>> Hi,
>> 
>> I just configured a trust between an IPA and an Active Directory to
>> authenticate IPA users in Windows machines joined in AD domain. The
>> login is successfull, but only after several minutes (nearly 25
>> minutes) in the first attempt; in the next attempts, the required time
>> goes from 5 to 10 min. So, what can I do to reduce the time to
>> something more acceptable? (For reference, when an AD user
>> authenticates it only takes 10 seconds or less).
> Alan, this is not yet supported for multiple reasons. We just have
> worked on this with Michael Brown at DevConf.cz over this weekend and
> while we have had certain progress, it requires heavily patching several
> key components, including CyrusSASL library, 389-ds and FreeIPA. Worse
> to that, we need to write Global Catalog service support in FreeIPA to
> allow Windows machines to actually assign proper rights to IPA users.
> 

Wouldn’t a somewhat easier solution for dealing with Windows be to create a one-way trust so that the AD domain trusts the IPA realm?  Then use AltSecurityID in Windows land to map a “shadow” user to each real principal?  In that way AD gets relegated to a second-class citizen used only for the subset of (likely comparatively unimportant) tasks where one is forced to use Windows?

--
Coy Hile
coy.hile at coyhile.com