Samba4/Proposal for IPA to AD trust: Difference between revisions

From SambaWiki
(start on IPA / AD ideas)
 
(move trust proposals to seperate pages)
 
(14 intermediate revisions by the same user not shown)
Line 8: Line 8:
That Kerberos is the only authentication protocol in use (that fallback to NTLM has been disabled or is unwanted)
That Kerberos is the only authentication protocol in use (that fallback to NTLM has been disabled or is unwanted)


=Background=
=Basic Design=


See the [[Samba4/Linking_AD_and_unix_directories|discussion of various trust types available in AD]]
The only sensible trust mechanism for this task is a 'Forest Trust'. This modal provides for mismatching schema, and mismatching functional levels, both of which are highly desirable (to avoid forced upgrades with the AD infrastructure).


The design consists of these parts:


==KDC==
=Designs=

A single KDC
There are two feasable designs for the IPA to AD trust:
* [[Samba4/Proposal_for_IPA_to_AD_forest_trust|Forest Trusts]]
* [[Samba4/Proposal_for_IPA_to_AD_MIT_trust|MIT Trusts]]

Latest revision as of 23:07, 15 February 2009

Purpose

To link FreeIPA to AD in a way that minimises replication of data.

Key assumptions

IPA and AD are both seperate DNS domains, seen by each other in the same company, that administrators which to join in such a way that users and services are easily accessed on both sides of the trust, using Kerberos.

That Kerberos is the only authentication protocol in use (that fallback to NTLM has been disabled or is unwanted)

Background

See the discussion of various trust types available in AD


Designs

There are two feasable designs for the IPA to AD trust: