[Freeipa-users] IPA & AD trust question
Sumit Bose
sbose at redhat.com
Fri May 31 07:37:01 UTC 2013
On Fri, May 31, 2013 at 06:52:27AM +0000, Ondrej Valousek wrote:
> Hi List,
>
> I have a question - is it possible to use AD trust the way that:
> 1. All users are stored in AD
> 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are stored in IPA?
Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
I can see no issues.
>
> If yes then:
> 1. Will this scenario honour the RFC2307 user attributes in AD?
We are trying to support RFC2307 attributes in AD with the next releases
for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
AD user's RID is available.
> 2. How is the best way to implement this? Imagine AD realm EXAMPLE.COM. Which realm I should chose for IPA? How about DNS?
The only requirement is to use a different DNS domain to make Kerberos
work properly. I would always recommend to use the IPA DNS server to
manage the IPA domain and add delegation and glue record from an to
other domains. See
https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2 for
examples.
>
> Thanks,
> Ondrej
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list