Description of RFE: After having a customer call with Dmitri from the IdM BU, he asked that I create this RFE on behalf of the customer. Allow accounts stored in Azure AD access Linux systems joined into and managed by IdM. Allow sudo, hbac and SSH key management for those accounts. Large TAM customer currently has about 5,000 RHEL systems on-prem and about 3,000 RHEL systems in Azure with management asking for a larger RHEL-in-Azure footprint. This RFE will allow the customer to continue adding RHEL subs as their focus continues to shift towards Azure.
from customer: Are there any efforts on supporting multifactor logins with users who have a microsoft authenticator token for example that could integrate into IDM ? This is the current configuration we have today for multi-factor authentication for a large chunk of users. Would this type of multifactor authentication be supported in our current configuration given we are reliant on an AD trust ?
It is impossible to answer these questions without knowing specific details of the implementation in use. A generic answer is that with Kerberos, the source of truth is the KDC that stores information about the user. In case of Active Directory, those are Active Directory domain controllers, not IdM servers. As far as I know, Active Directory has no support for multifactor authentication on Kerberos level. Instead, they have it all integrated on the Windows operating system level and use a different protocol to authenticate the user on Windows desktop and then obtain a Kerberos ticket based on that. This method is not supported and will unlikely be supported as it is all proprietary. Once a Kerberos ticket granting ticket is obtained on Windows machine, it can be used to authenticate to RHEL IdM-enrolled machines over trust to Active Directory with the help of PuTTY or similar applications.