[Freeipa-users] How does one authenticate Windows login against IPA
John Meyers
john+freeipa at themeyers.us
Wed May 18 22:26:55 UTC 2016
Thanks. I've experimented with that as well with vanilla MIT kerberos
(prior to using FreeIPA) and I agree it works just fine. However, the
limitation I always found was that it is not practical to manually
create the "shadow objects" and then keep in them in sync. I was hoping
the "winsync" feature would actually be able to handle that part of it,
but it only seems to be able to deal with accounts that come from AD
initially.
On 5/18/16 6:03 PM, Coy Hile wrote:
> When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's actually supported. Simo?
>
> -c
>
> Sent from my iPad
>
>> On May 18, 2016, at 17:19, John Meyers <john+freeipa at themeyers.us> wrote:
>>
>> All,
>>
>> FreeIPA as we've discovered has some wonderful Windows integration
>> capability, but it is all predicated on Windows AD being the
>> authoritative source of user information. 2-Way trusts are great, but
>> they only work for kerberotized applications, not native Windows rights
>> (that would require FreeIPA to act as global catalog as I learned from
>> Alexander). The winsync capability does not, as it turns out, sync
>> native IPA users to AD.
>>
>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>> your authoritative user repository (AD is a blank slate), how do you
>> perform local Windows login authentication for the 10% of Windows
>> machines against FreeIPA?
>>
>> Thank you all!
>>
>> John
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list