Anabela Mazurek via FreeIPA-users wrote:
We are trying solve problem with certificate login using smart card
to FreeIpa kerberos added Widndows workstation. As we are testing there could be request
of using ntuser and or ipantuser class for getting sid and ntname attribs. For now we are
not sure if it is needed but when we was trying define this for newly created objects we
discovered that this is impossible and because we are not sure if it is like this i did
ask. Thank you for answer.
So you managed to enroll a windows client into IPA and now you want to
use smart cards with certificates to authenticate the users in Windows?
I'm not sure anyone has tried before but you wouldn't need *user in the
machine entry regardless.
We don't encourage people to directly enroll windows clients into IPA.
IPA is not an AD replacement. We recommend using AD trust instead.
rob