Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1320838
Description of problem:
In many user environments, the potential IdM clients are in a DNS domain
controlled by Active Directory (aka "Trust Frankenstein setup").
Requirement to migrate them all to an IdM controlled domain is not usually
rather complicated. This bug is a request for procedure or a document on how to
deploy IdM with a client hostname in an AD DNS domain.
IDMRHEL-42: As an Administrator with a big number of Linux machines in a DNS
domain controlled by Active Directory, I want to join them to the IdM Server so
that they can benefit from it?s Linux focused features.
Design is ready for review.
Alexander, thanks! I tried to digest and it seems that the answer to the question that I have in mind is "yes" but I am not clear on exactly how.
So here is the question: As and administrator on a Windows system connected to my AD domain I want to SSH into a
Linux system in a trusted IPA domain that has a hostname managed by AD DNS zone. Can I do this and how?
It seems that it would be possible but after reading the page I do not see exactly how. Do I need to make any changes on the Windows client? If so which? If the changes are just on the Linux box I access. What are the steps that I need to run, can the be presented in a list that I can follow?
If hostname is in AD DNS zone, the only working login schemes are by utilizing a password or a public key. No single sign-on (GSSAPI) will be possible.
No changes on Windows client are needed.
The changes for Linux side are outlined in http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain#No_single_sign-on_required
With Alexander's FreeIPA.org article published and #5903 fixed, I think we can consider this request fixed, to the best of our knowledge.
Metadata Update from @pvoborni:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.4
to comment on this ticket.