[Freeipa-users] Is WinSync A Bad Choice?
Jason B. Nance
jason at tresgeek.net
Wed Feb 1 22:19:39 UTC 2017
>> - Users can't login to a Linux box using just "username" (user at ad.domain is
>> used)
>
> In the current version you can use the 'default_domain_suffix' option in
> sssd.conf on the clients. In RHEL-7.4 we are looking into making this
> limitation go away.
Thank you very much, Jakub. That is helpful information! Are you saying that there will basically be a domain search order or something for users that login without specifying a domain?
Back to the community as a whole, regarding these other items:
> - Since AD trust users don't show up in FreeIPA web UI users can't login to manage their own SSH keys
After doing some additional thinking/researching I realized that SSH keys become largely irrelevant because of GSSAPI (Dmitri Pal posed this question in this thread: https://www.redhat.com/archives/freeipa-users/2013-September/msg00290.html).
> - User/group management in general becomes largely a command-line operation (such as mapping groups so they can be used in HBAC and sudo rules)
While this is a nice-to-have, it isn't a deal breaker.
I have another question. Can additional authentication requirements (such as 2FA) be imposed on users from a trust via IPA?
Thanks,
j
More information about the Freeipa-users
mailing list