[Freeipa-users] How does one authenticate Windows login against IPA
John Meyers
john+freeipa at themeyers.us
Thu May 19 03:20:33 UTC 2016
Even if you get that to work, you are still stuck with same issue
discussed earlier in this thread -- you need to have a Windows account,
either local or AD, to be able to login and grant rights against. pGina
just handles the authentication part. The only way to do either a 1-way
Kerberos trust (AD->IPA) or pGina is to somehow sync native IPA users to
AD (or Samba AD) to create the "shadow account"? Winsync will not do this.
On 5/18/16 7:49 PM, Michael ORourke wrote:
> What about using the pGina project on the Windows side?
>
> Reference:
> http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/
>
> -Mike
>
> -----Original Message-----
>> From: John Meyers <john+freeipa at themeyers.us>
>> Sent: May 18, 2016 5:19 PM
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] How does one authenticate Windows login against IPA
>>
>> All,
>>
>> FreeIPA as we've discovered has some wonderful Windows integration
>> capability, but it is all predicated on Windows AD being the
>> authoritative source of user information. 2-Way trusts are great, but
>> they only work for kerberotized applications, not native Windows rights
>> (that would require FreeIPA to act as global catalog as I learned from
>> Alexander). The winsync capability does not, as it turns out, sync
>> native IPA users to AD.
>>
>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>> your authoritative user repository (AD is a blank slate), how do you
>> perform local Windows login authentication for the 10% of Windows
>> machines against FreeIPA?
>>
>> Thank you all!
>>
>> John
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list