Using KEYRING was a state of art at the moment Kerberos was bundled for RHEL7. However moving forward into the world of containers using KEYRING becomes a challenge thus SSSD is building internal ticket cache that will be supported by the system Kerberos libraries. So in general the recommendation nowadays is to use native OS Kerberos libraries, they are most recent and will provide latest functionality and experience.
... View more
Hello, As a member of the FreeIPA community and a redhatter I would be very glad to help resolve this issue. There are in fact were some challenges. I remember that one was related to the complications of how different components of the cluster located on the same node use kerberos. The other was related to how group membership is fetched. There was some not offucually supported tune up that was needed. So in general the default configuration that is provided by ipa-client needs to be tuned up to make things work. Couple corrections to the post: - FreeIPA uses 389DS not OpenLDAP for directory service - FreeIPA (or Red Hat Identity Management - this is how the component is named) is capable of the complex trust setups and works very well with them. The challenge is the custom configuration that needs to happen to make all parts work. - IdM is a part of RHEL and is supported by Red Hat so if/once integration and configuration is sorted out a joint solution can be supported by both communities and companies. If we want move forward on this please reach out to me. I am the right person for that. I am looking forward towards a productive collaboration on this front. Thank you, Dmitri Pal
... View more