[Freeipa-users] How does one authenticate Windows login against IPA
John Meyers
john+freeipa at themeyers.us
Thu May 19 14:09:13 UTC 2016
(apologize for possible double post)
Can you share the details of how you managed to this with FreeIPA (even
if it includes kadmin.local work)? Many thanks!
On 5/18/16 6:03 PM, Coy Hile wrote:
> When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's actually supported. Simo?
>
> -c
>
> Sent from my iPad
>
>> On May 18, 2016, at 17:19, John Meyers <john+freeipa at themeyers.us> wrote:
>>
>> All,
>>
>> FreeIPA as we've discovered has some wonderful Windows integration
>> capability, but it is all predicated on Windows AD being the
>> authoritative source of user information. 2-Way trusts are great, but
>> they only work for kerberotized applications, not native Windows rights
>> (that would require FreeIPA to act as global catalog as I learned from
>> Alexander). The winsync capability does not, as it turns out, sync
>> native IPA users to AD.
>>
>> The million dollar question is if you are 90% Linux shop and FreeIPA is
>> your authoritative user repository (AD is a blank slate), how do you
>> perform local Windows login authentication for the 10% of Windows
>> machines against FreeIPA?
>>
>> Thank you all!
>>
>> John
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list