<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/17/2015 04:34 PM, Steven Jones
wrote:<br>
</div>
<blockquote cite="mid:1424208749846.77996@vuw.ac.nz" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>"I have been informed that all computer users on our campus
must now authenticate off of the University’s Active Directory
server, including all Linux machines."</p>
<p><br>
</p>
<p>dictated by a clueless Windows ***** no doubt, ***sigh***
Here we are keeping both separate as AD is so bad security
wise, but want some low risk trusts for certain groups of
machines (common desktops).
<br>
</p>
<p><br>
</p>
<p>If the expectation is its directly off the AD then you dont
need IPA at all. However without an expensive commercial addon
per Linux server/desktop you wont be able to do much
management and control. this has security implications, if
you had say a finance or HR server without these commercial
tools you may find any AD user could get on them, not what you
would want. </p>
<p><br>
</p>
<p>So you have 2 options in keeping IPA, </p>
<p><br>
</p>
<p>a) trusts and you should be able keep your users. <br>
</p>
<p><br>
</p>
<p>b) winsync and passync and all the AD users are synced over
to IPA. Existing users stay as is, the ones in AD but not in
IPA get pulled over to IPA.<br>
</p>
<p><br>
</p>
<p>***maybe***</p>
<p><br>
</p>
<p>c) You might be able to do both winsync and trusts at the
same time then that is simpler provisioning. ie a user gets
created in AD and automatically gets created in IPA ready for
you to put in the user group you want.<br>
</p>
</div>
</blockquote>
<br>
I am not sure this is the best solution really.<br>
Trust and sync do not help each other. The fact that you have trust
does not help you to provision users the way you describe.<br>
<br>
<blockquote cite="mid:1424208749846.77996@vuw.ac.nz" type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>
</p>
<p><br>
</p>
<p>I'd like to do c) which I am looking at at present, if I ever
get IPA on RHEL6.6 upgraded to RHEL7.1!</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<p>regards</p>
<p>Steven J<br>
</p>
</div>
</div>
</div>
</div>
</div>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
color="#000000" face="Calibri, sans-serif"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users-bounces@redhat.com"><freeipa-users-bounces@redhat.com></a> on behalf of
David Fitzgerald <a class="moz-txt-link-rfc2396E" href="mailto:David.Fitzgerald@millersville.edu"><David.Fitzgerald@millersville.edu></a><br>
<b>Sent:</b> Wednesday, 18 February 2015 10:05 a.m.<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> [Freeipa-users] question about Active
Directory authentication</font>
<div> </div>
</div>
<div>
<div class="WordSection1">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Hello,</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
I am currently running an IPA 3.3 server on Centos 7. I
have 70 IPA client machines running Scientific Linux 6.6
and 150 users. User directories are auto-mounted from a
Centos 7 file server.
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
I have been informed that all computer users on our
campus must now authenticate off of the University’s
Active Directory server, including all Linux machines.
I have been looking through the IPA documentation and am
getting myself confused and not completely understanding
what needs to be done, thus I have some questions. </p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p class="MsoListParagraph" style="text-indent: -0.25in;
margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt;
font-family:
"Calibri","sans-serif";">
<span style="">1.<span style="font:7.0pt "Times New
Roman""> </span></span>The docs talk
about setting up a trust between the IPA server and the
AD server. Will I need to change all of the IPA clients
as well as the IPA server, or do I only need change the
server and not have to touch the clients?</p>
<p class="MsoListParagraph" style="margin: 0in 0in
0.0001pt 0.5in; font-size: 11pt; font-family:
"Calibri","sans-serif";">
</p>
<p class="MsoListParagraph" style="text-indent: -0.25in;
margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt;
font-family:
"Calibri","sans-serif";">
<span style="">2.<span style="font:7.0pt "Times New
Roman""> </span></span>Do I even need to
set up a full trust relationship just to authenticate my
users with AD?</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p class="MsoListParagraph" style="text-indent: -0.25in;
margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt;
font-family:
"Calibri","sans-serif";">
<span style="">3.<span style="font:7.0pt "Times New
Roman""> </span></span>Since I already
have 150 users, will I have to delete their IPA accounts
before setting up the trust? W</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Sorry if my questions are a bit basic, but I need some
guidance to get me started.</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Thanks!</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Dave</p>
<p style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoListParagraph">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
++++++++++++++++++++++++++++++</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
David Fitzgerald</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Department of Earth Sciences</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Millersville University</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Millersville, PA 17551</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
Phone: 717-871-2394</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:david.fitzgerald@millersville.edu">david.fitzgerald@millersville.edu</a></p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family:
"Calibri","sans-serif";"
class="MsoNormal">
</p>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>