Steve,
We have the same problem with the web interface, from what I can tell you must either sync
accounts, delegate account passwords with RADIUS (which works for the web interface but
not kerberos) and/or use service accounts.
Our systems use kickstart and auto-join ipa on deployment with a service account, which
may work for your needs, there's also an ansible module you could use with a
ansble-vaulted ipa-join service account.
Thanks,
-Jake
From: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
To: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
Cc: "Steve Weeks" <nbxsteve(a)gmail.com>
Sent: Friday, July 28, 2017 12:46:02 PM
Subject: [Freeipa-users]ipa-client-install using AD/ad_admin credentials
We want to let AD admins install new linux FreeIPA clients using their AD credentials. It
looks like if fails using kinit in the script. If you run kinit 'AD\ad_admin' you
get the same error.
Is it feasible to do what we want? Does it make sense? We already have a system for
managing the sysadmins in AD and don't really want to setup double accounts for them.
(We have lots of sysadmins).
Thanks,
Steve
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org