Concealing user principal names for realm crossover

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Wed Mar 18 13:13:41 EDT 2015


> RedHat's FreeIPA may provide some similar functionality, but I'm not familiar
> with it.  Ditto Samba.

If I'm not mistaken, FreeIPA 4.1+ should have the ability to  overwrite or add user attributes locally (including "username", uidNumber, group membership). However, it can only do trusts with AD. The big advantage to overriding attributes locally is that it paves the way for trusts with plain Kerberos realms which aren't exporting any user attributes.



More information about the Kerberos mailing list