On ma, 28 tammi 2019, François Cami wrote:
On Mon, Jan 28, 2019 at 1:02 PM Ronald Wimmer via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> On 28.01.19 12:42, Alexander Bokovoy wrote:
> > On ma, 28 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
> > [...]
> >> Is there any experience on how to deal with such a situation?
> > Really depends on where these existing clients are located and what is
> > their function. Do they belong to some other Kerberos realm already?
> > Like some Active Directory domain?
> >
> > Some scenarios are covered by
> >
https://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
> > and related articles linked from that blog.
>
> It looks like option 3b from your link would work. I do not care if I
> lose Kerberos functionality. What I do care about is if I still have the
> possibility to use
>
> - IPA users for logging in on these systems
> - users coming form AD
> - sudo rules
> - HBAC rules
The thing is, if I'm not mistaken Kerberos is required for sudo and
HBAC to work.
No. id_provider=ipa is required but that means SSSD would by default
use
host/... Kerberos principal to talk to IPA masters. That's all enabled
and will work just fine if krb5.conf on the client maps to hostname of
this machine to IPA realm. What will not work is Kerberos (GSSAPI)
authentication from Windows clients to these machines because at that
point Windows systems will rely on AD DCs' knowledge of where host/...
belongs to (which realm) and those will see a host from *.mydomain.at
and consider it is only belonging to AD DC. They also will not find the
host in AD (since it is not really enrolled in AD) and thus will deny
any Kerberos service ticket to services hosted on that machine. At no
point they will be considering that this host belongs to some other
realm (IPA).
> Cheers,
> Ronald
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland