| |||||||||||||
FreeIPA: centralized identity management for LinuxFreeIPA: centralized identity management for LinuxPosted Dec 14, 2012 0:25 UTC (Fri) by jldugger (subscriber, #57576)In reply to: FreeIPA: centralized identity management for Linux by drag Parent article: FreeIPA: centralized identity management for Linux
It's just a Kerberos Trust; the O'Reilly Kerberos book explains them if you're curious.
(Log in to post comments)
FreeIPA: centralized identity management for Linux Posted Dec 14, 2012 11:49 UTC (Fri) by ab (subscriber, #788) [Link]
Samba4 AD DC does not support cross-realm trusts between different forests yet. Thus, it is not yet possible to use AD trusts feature of FreeIPA 3.x to connect two separate installs, Samba 4 AD DC and FreeIPA. Once we'll get cross-realm trusts working for cross-forest case in Samba 4 AD DC, an AD trust between FreeIPA and Samba 4 AD DC should start working as well.
Yes, it is mostly Kerberos trust once it is established, except for a lot of small details on verifying ticket extensions in MS-PAC structure (documented in MS-KILE spec) which change over time, and resolution of SIDs (MS-PAC records SIDs, not group or user names so one has to resolve them first to use) which is a complicated matter in complex topologies.
However, in order to establish AD trust one need to use SMB protocol and MS-RPC services. You may want to look at http://freeipa.org/page/IPAv3_Architecture to get some high level overview on what's happenning. The page has some outdated material though, I'm working on updating it as we speek.
|
|||||||||||||