I also noted this in the TUV's docs with great interest.  One caveat:  The docs
recommend at least Windows Server 2012 for the trust between IPA and AD.

On 07/22/2016 05:42 AM, David Sommerseth wrote:
> On 22/07/16 09:45, Lars Behrens wrote:
>> Am 22.07.2016 um 01:11 schrieb David Sommerseth:
>>
>>> Have a look at authconfig and sssd.  The former should help configure
>>> all these things for you, including proper PAM setup as well as LDAP and
>>> Kerberos.  For SSSD it is in particular helpful on laptops, where
>>> authentication data can be cached locally to be capable of offline
>>> authentication as well as caching enough information to automatically
>>> fetch a Kerberos ticket once the network access has been established.
>>
>> I already had been using authconfig for sssd setup. Authentication (via
>> AD/ldap) and caching works well. I only need  per user mounting of their
>> AD-directories and hadn't found a hint in the authconfig man page.
>>
>>> And SSSD do have some support for handling the autofs/automount stuff too.
>>
>> Ok, that seems the way to go. Through your tip I now found that there is
>> an autofs/automount via "ldap_autofs_*" in sssd. Let's see if I get this
>> set up.
>>
>>> Otherwise, do have a look at the FreeIPA stuff too.  There's a lot of
>>> good things in that package, which also doesn't require much resources
>>> on the server side.  For clients, it gets even easier.  You just need to
>>> install the proper IPA packages and run ipa-server-install or
>>> ipa-client-install, that's mostly all you need.  FreeIPA also makes use
>>> of SSSD and authconfig under the hood.
>>
>> Yeah, looks like good thing but afaics I would have to set up a server
>> for that. I think at first I have to get comfy with the basics in the
>> "red hatted" world (I am coming from a debianic and SUSE background).
>>
>> Thank you for your hints!
>
> As you seem to also use AD, you might be pleased to know that it is
> possible to integrate AD and FreeIPA.  IIRC, one of the new features in
> EL7.2 was also "one way trust" in addition to the "full trust" available
> in earlier versions of FreeIPA.
>
> This means that AD users gets access to machines enrolled in IPA,
> according to configured policies.
>
> And the automount/autofs stuff is also very easily configured in IPA too.
>
> A final note on setting up FreeIPA on SL7:
>
> * server side
>    yum install ipa-server
>    ipa-server-install   # see --help for several useful options
>    # wait for install script to complete
>    # done
>
> Now you can log into the web admin UI by accessing the servers host name
> from a browser.
>
> * client side
>    yum install ipa-client
>    ipa-client-install
>    # wait for install script to complete
>    # done
>
> I'll admit that I have never installed and configured IPA together with
> AD, but the demos I have seen on several conferences have not been
> really scary.  If you setup IPA to use external DNS servers, you might
> need to add a few entries there, but it might also be that the AD
> integration does a lot of it for you too.
>
> You may very well also install IPA server on an existing server, if that
> would work with your sys-admin policies.  The IPA server does not
> require too much resources at all, neither RAM, CPU nor disk.
>
> Setting up replica IPA servers is also not a big challenge.  Setup
> scripts usually works very well and the official documentation is quite
> good too.
>
> <https://access.redhat.com/articles/1586893>
> <http://www.freeipa.org/page/Documentation>
>
>
> --
> kind regards,
>
> David Sommerseth
>