<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/20/2015 07:02 AM, Email wrote:<br>
</div>
<blockquote
cite="mid:CAJ4YdAQWPaGHK_1idZjHmR8WQTjXMa45tAezMGQ+iKWPaxP0_Q@mail.gmail.com"
type="cite">Hi Rich, thanks for the reply. Here is the link I
working with <a moz-do-not-send="true"
href="https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory-trust.html">https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory-trust.html</a>
<div><br>
</div>
<div>I'm looking at both options, the cross forest trust and
winsync. For my project FreeIPA needs to be authoritative
wherever possible. Users need one domain account that works on
Linux and Windows. Why would trusts be a better solution that
winsync? Thanks for your help. <br>
</div>
</blockquote>
<br>
Please keep replies on-list.<br>
<br>
In general, any time you don't have to copy information around, and
ensure that it is in sync, and remains in sync, that is a better
solution. Trusts does not copy/sync information, so in general it
is preferred.<br>
<br>
In your case, it seems that you want FreeIPA to be the authoritative
source of information? And you want to create new users/groups in
FreeIPA, and use that information in the AD/Windows environment? Is
that correct?<br>
<br>
<blockquote
cite="mid:CAJ4YdAQWPaGHK_1idZjHmR8WQTjXMa45tAezMGQ+iKWPaxP0_Q@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>Tony<br>
<br>
On Wednesday, July 15, 2015, Rich Megginson <<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 07/15/2015 09:42 AM, Email wrote:<br>
</div>
<blockquote type="cite">Hi everyone, my name is Tony and
this is my first post, so it's nice to meet all of you.
I've been tasked with creating an AD and FreeIPA
environment, and I'm looking into the sync between the
two. It looks like creating a user in AD causes that user
to be created in IPA, but not the other way around. But
if I create them in IPA they will not be auto created in
AD. I'm wondering why this is.</blockquote>
<br>
This is intentional. If you are using FreeIPA and windows
sync, it is assumed you want AD to be the provisioning
system for new users, and not FreeIPA.<br>
<br>
I would seriously consider using trusts instead of windows
sync.<br>
<br>
<blockquote type="cite">See section 8.1 of the fedora
documentation as a reference. </blockquote>
<br>
Link please? We may need to clarify the language.<br>
<br>
<blockquote type="cite">Thanks in advance!
<div><br>
</div>
<div>~Tony <br>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>