Description of problem: Customers would like to be able to use their IdM users to log on to Window clients that a part of the trusted domain. Version-Release number of selected component (if applicable): ipa-server-4.1.0 ipa-server-trust-ad-4.1.0 How reproducible: 100 % Steps to Reproduce: 1. Set normal cross-realm trust 2. IdM users are not able to log on to Windows clients 3. Global Catalog plugin/feature/option will need to be added. Actual results: Login not possible Expected results: Login is acceptable Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3125
Please note that the first version of this feature would not cover all use possible use cases that an IdM user could do on a Windows client. It will cover basic use cases that will be enabled by adding a Global Catalog to IdM Server. Next use case can be investigated after this step. Having said that, this is the current set of User Stories that we are managing: User Story 1: As a Windows Administrator I want to add IdM Users and Groups to the access control lists of resources in Active Directory, so that I can let IdM user log into to Windows client enrolled with Windows Server and file shares. - Acceptance Criteria * I can enable "Allow logon locally" Global Policy for a special group with all IdM users or a selected IdM Group or an IdM User to later enable local logon * I can add a special group with all IdM users, selected IdM Group or IdM User to "Remote Desktop Users" group to later enable remote logon * I can grant access to a file share located on Windows Servers * Limitation: the use cases not explicitly called out above may or may not work and are not supported in the first implementation. User Story 2: As an IdM User I'm able to login remotely or locally to Windows client enrolled in Windows Server, so that the user can use file shares or run a Windows application. - Acceptance Criteria * Prerequisite: this workflow requires a bi-directional Trust between IdM Server and AD Forest Root and a Workstation enrolled in the forest's domain * When allowed, IdM user can login with his user and password to local Windows terminal * When allowed, IdM user can login with his user and password to remote Windows terminal using RDP client (test with FreeRDP) * IdM user can open, modify or delete a file in a folder, when allowed by respective Windows folder ACL * IdM user can run a Windows application that does not require any additional interfaces (like SMB or DCE RPC) available on IdM Server Comments and suggestions welcome!
The RFE would be targeted primarily for RHEL-8.1 or later, not for RHEL-7.x - moving Bug to another product.
Current state is recorded in SambaXP'2020 talk: slides: https://sambaxp.org/archive-data-samba/sxp20/sxp20-d2/sxp20-d2t2-1-bokovoy-blancrenaud-FreeIPA-Catalog.pdf video (and demo): https://sambaxp.org/archive-data-samba/sxp20/sxp20-d2/sxp20-d2t2-1-bokovoy-blancrenaud.mp4