Sometimes you'll need a Windows server. Or, more likely, sometimes a client really really wants a Windows server, but you can't get windows to speak directly to FreeIPA. So instead you install pGina (inherintly funny name) and have it manage your logins and talk to your FreeIPA. Assuming you've configured your FreeIPA server as shown in previous posts, and have a bind user created, the following will work.
The default behavior is that pGina will create local machine users that match the ones on FreeIPA. You can add group based rules to assign Windows group memberships. You can configure pGina to allow offline login (assuming the user has logged on before), or you can explicitly deny it. You can allow login based on group membership, or deny.
I've used 184.108.40.206 stable (its from 2013 :| ) There is a slightly newer unstable version, and there also seems to be a fork that is being actively developed (called pGina Fork) Install the pGina 220.127.116.11 exe as admin.
Open pGina and check the LDAP/Local Machine checkboxes for Authentication/Authorization/Gateway
Go to plugin order and order plugins to give LDAP priority in all 3
Go to LDAP Plugin Configuration and set IdM connection and Authentication settings as follows:
LDAP Host: freeipa.example.com LDAP Port 389 Timeout 10 Search DN uid=binduser,cn=users,cn=accounts,dc=example,dc=com Search Password: bindpassword Group DN Pattern: cn=%g,cn=groups,cn=accounts,dc=example,dc=com Member Attribute: member User DN Pattern: uid=%u,cn=users,cn=accounts,dc=example,dc=com
In the LDAP Plugin Configuration, open the Authorization tab and set
Default: Deny Deny when LDAP authentication fails: Checked Allow when server is unavailable: Unchecked Create rule: If member of LDAP group: (hostname of windows host or windows-users group) allow.
This presumes you only want specific users to log on to specific hosts - create a group in FreeIPA with the hostname of the Windows server as name and add the users you want to be able to access the Windows server. You can also just create a "windows-users" group in FreeIPA and add every user you want to be able to log on to (all) Windows servers.
In the LDAP Plugin Configuration, open the Gateway tab and set
Create rule: Always add to local group Remote Desktop Users
Go to the Simulation tab and enter credentials and test.