On pe, 17 touko 2019, Lars Seipel wrote:
On Mon, May 13, 2019 at 01:06:10PM +0300, Alexander Bokovoy via
FreeIPA-users wrote:
>On ma, 13 touko 2019, Dirk Streubel via FreeIPA-users wrote:
>>does somebody now if it now possible to build a Trust between Samba 4.10 with
MIT-Kerberos and Freeipa Version 4.7.
>>The last entry about this thing is about a year old.
>>Maybe someone here in this List have new Information for me.
>You may try with versions in Fedora 30 (updates). It includes FreeIPA
>4.7.90.pre1 which has some improvements in this area.
Just to be sure: this is about AD users from a Samba-based domain
accessing FreeIPA resources. The other way around (i.e. IPA users
logging into Windows systems) is not expected to work, right?
Correct.
AFAICT, it still hinges on the availability of a Global Catalog
implementation on the IPA side. Correct?
Correct.
Is your 2017 SambaXP talk[1] still an accurate description of what
would need to happen to make this work?
Yes. I have some progress since that time in
a bit of obscure areas
around domain membership on IPA clients. Some of that work showed that
in some cases it is possible to resolve IPA users' SIDs to names without
global catalog too. I'm intending to look into that after landing domain
member work soon.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland