[Freeipa-users] AD Sync and groups
Alexander Bokovoy
abokovoy at redhat.com
Wed Jul 27 13:02:29 UTC 2016
On Wed, 27 Jul 2016, malo wrote:
>Hi,
>
>Thank your for your reply, it really is much clearer to me now.
>
>I think I get why SSSD offline authentication would help to solve "AD
>unreachable" issue.
>
>If I understood well, the SSSD on the IPA master would cache
>credentials, allowing the user to log in (as in the kinit meaning)
>even if the AD is unreachable ?
On each IPA client, including IPA master. You are always login to the
specific host and SSSD always tries to reach the server that gives
authentication response (AD DCs, in the case of AD users). If it cannot
reach that server, offline authentication is considered.
>At last, I did not quite understand how the KDC proxy would help to
>prevent network related issues.
>
>To me it is just a way to allow users with restrictive firewall rules
>to authenticate and requests ticket, if I understood well (from this
>doc https://www.freeipa.org/page/V4/KDC_Proxy)
Right.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list