<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 02/17/2015 04:05 PM, David
      Fitzgerald wrote:<br>
    </div>
    <blockquote
      cite="mid:958EF916EB06874283F9B8F820726DD3B9FFA10B@FSMB1.muad.local"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1437823415;
        mso-list-type:hybrid;
        mso-list-template-ids:-998490378 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.25in;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.25in;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.75in;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:2.75in;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.25in;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.25in;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal">Hello,<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">I am currently running an IPA 3.3 server on
          Centos 7.  I have 70 IPA client machines running Scientific
          Linux 6.6 and 150 users.  User directories are auto-mounted
          from a Centos 7 file server.
          <o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">I have been informed that all computer
          users on our campus must now authenticate off of the
          University’s Active Directory server, including all Linux
          machines.  I have been looking through the IPA documentation
          and am getting myself confused and not completely
          understanding what needs to be done, thus I have some
          questions. 
          <o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoListParagraph"
          style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1
          lfo1">
          <!--[if !supportLists]--><span style="mso-list:Ignore">1.<span
              style="font:7.0pt "Times New Roman"">      
            </span></span><!--[endif]-->The docs talk about setting up a
          trust between the IPA server and the AD server.  Will I need
          to change all of the IPA clients as well as the IPA server, or
          do I only need change the server and not have to touch the
          clients?</p>
      </div>
    </blockquote>
    <br>
    With IPA on Centos 7 you can establish trust and you 6.6 machines
    should be capable of picking the trust automatically.<br>
    <blockquote
      cite="mid:958EF916EB06874283F9B8F820726DD3B9FFA10B@FSMB1.muad.local"
      type="cite">
      <div class="WordSection1">
        <p class="MsoListParagraph"
          style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1
          lfo1"><o:p></o:p></p>
        <p class="MsoListParagraph" style="margin-left:.25in">                       
          <o:p>
          </o:p></p>
        <p class="MsoListParagraph"
          style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1
          lfo1">
          <!--[if !supportLists]--><span style="mso-list:Ignore">2.<span
              style="font:7.0pt "Times New Roman"">      
            </span></span><!--[endif]-->Do I even need to set up a full
          trust relationship just to authenticate my users with AD?</p>
      </div>
    </blockquote>
    <br>
    You have three options: <br>
    - Establish trust<br>
    - Sync users from AD to IPA<br>
    - Drop IPA and go direct AD (but you loose a lot).<br>
    <br>
    We recommend the trust approach and yet it is a full trust but that
    does not mean that it is wild west. The trust just means that users
    can cross authenticate. But if there is no permissions set (which is
    the case by default) the users even if they are authenticated can't
    do anything. So if your AD guys a re worried that the trust would
    open the can of worms it would not.<br>
    <br>
    <blockquote
      cite="mid:958EF916EB06874283F9B8F820726DD3B9FFA10B@FSMB1.muad.local"
      type="cite">
      <div class="WordSection1">
        <p class="MsoListParagraph"
          style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1
          lfo1"><o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoListParagraph"
          style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1
          lfo1">
          <!--[if !supportLists]--><span style="mso-list:Ignore">3.<span
              style="font:7.0pt "Times New Roman"">      
            </span></span><!--[endif]-->Since I already have 150 users,
          will I have to delete their IPA accounts before setting up the
          trust?  W<o:p></o:p></p>
      </div>
    </blockquote>
    <br>
    Are these users the same as AD users?<br>
    If they are you can move to IPA 4.1 and convert them to ID Views to
    assign posix data to the AD users and then remove.<br>
    <a class="moz-txt-link-freetext" href="https://copr.fedoraproject.org/coprs/mkosek/freeipa/">https://copr.fedoraproject.org/coprs/mkosek/freeipa/</a><br>
    <blockquote
      cite="mid:958EF916EB06874283F9B8F820726DD3B9FFA10B@FSMB1.muad.local"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Sorry if my questions are a bit basic, but
          I need some guidance to get me started.<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Thanks!<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Dave<o:p></o:p></p>
        <p class="MsoListParagraph"><o:p> </o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">++++++++++++++++++++++++++++++<o:p></o:p></p>
        <p class="MsoNormal">David Fitzgerald<o:p></o:p></p>
        <p class="MsoNormal">Department of Earth Sciences<o:p></o:p></p>
        <p class="MsoNormal">Millersville University<o:p></o:p></p>
        <p class="MsoNormal">Millersville, PA 17551<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Phone:  717-871-2394<o:p></o:p></p>
        <p class="MsoNormal">E-Mail:  <a class="moz-txt-link-abbreviated" href="mailto:david.fitzgerald@millersville.edu">david.fitzgerald@millersville.edu</a><o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>