On Fri, 2014-08-29 at 09:00 +0100, John Hodrien wrote:
On Thu, 28 Aug 2014, Simo Sorce wrote:
>> auth_provider = krb5
>> chpass_provider = krb5
>> krb5_realm = IPA.EXAMPLE.TEST
>> krb5_server = ipa-host.ipa.example.test
>
> Without a keytab validation is not possible, that's not ideal.
Depending on your reason for not joining a machine to the domain, you're free
to share a single kerberos lookup credential via a keytab between multiple
machines, will still gives you the ability to validate.
Although if one of the machines is compromised, now you can fool the
others, still better than no validation at all.
Simo.
--
Simo Sorce * Red Hat, Inc * New York