On Wed, 2015-11-18 at 11:46 +0100, Domineaux Philippe wrote: > Here is my environment : > > 1 Windows Domain > Windows workstations > Windows servers > Multiple linux domains > Linux workstations > Linux servers > > Here is my goal : > > All users are centralized in the Active Directory. > Users will authenticate on linux workstations with their AD accounts ( > using POSIX attributes). > Linux workstations must have access to NFS shares on Linux servers.
Hi Domineaux, you should look into setting up FreeIPA with a trust relationship to the Windows Domain. > What are the limitations ? It is hard to say what kind of limitations you are interested into, when we trust AD, then AD users can access Linux machines, one limitation (if you think it is a limitation) is that AD users will have fully qualified names on the host (example: [email protected]) and not just flat names to avoid name clashes between ipa users, local users and AD users. > Windows users equals ipa users in term of services ? Yes. > Do I have to configure kerberos to also join directly the Windows Kerberos > Realm, > or will IPA do the job to ask Windows server ? If you set up a trust between servers all is taken care of for you wrt clients. > in etc/krb5.conf : > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = IPA.ORG > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > canonicalize = yes > allow_weak_crypto = true > > [realms] > IPA.ORG = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = RULE:[1:$1@ > $0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/ > auth_to_local = DEFAULT > > } > > ### IS THIS NECESSARY > WINDOMAIN.LOCAL = { > kdc = srvadipa.windomain.local > admin_server = srvadipa.windomain.local > } > > > [domain_realm] > .cosmo.org = COSMO.ORG > cosmo.org = COSMO.ORG > > ### IS THIS NECESSARY > > .windomain.local = WINDOMAIN.LOCAL > windomain.local = WINDOMAIN.LOCAL It depends on what client you are using, older RHEL may need this, newer ones have an include directory in krb5.conf and sssd generates appropriate configuration automatically based on server configuration. > Is the bug in libnfsidmap still active and prevents Windows users to access > to NFS4 krb5 secured shared folder ? I am not sure what bug you refer to. You may need to configure nfs client nfs idmap, but I am not aware of bugs that will prevent it from working right if properly configured. Specifically you may want to *not* try to consult LDAP from idmap, but use a regex to transform the windows realm from upper case to lowercase and then just use the getpwnam interface. Simo. > I currently have > > bug here: > https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
