[Freeipa-users] IPA AD Trust issue
KevinTang at umac.mo
KevinTang at umac.mo
Wed Sep 11 09:57:00 UTC 2013
Dear Alexander,
Understand, thank you very much.
Kevin.
From: Alexander Bokovoy <abokovoy at redhat.com>
To: KevinTang at umac.mo
Cc: freeipa-users at redhat.com
Date: 09/11/2013 02:52 PM
Subject: Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, KevinTang at umac.mo wrote:
>Dear Alexander,
>
>If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will
>all user account in Windows AD 'copy' to IPA AD, and my IPA client can
>logon with Windows AD username only? (only use 'userA' to login directly,
>not 'userA at win_ad.com').
If you are using ipa-replica-prepare against Windows AD, you are using
winsync/passsync which is copying user entries from AD to IPA. In this
case AD users become IPA users. It is not a trust per se, only a
synchronization. In particular, users will not be able to use their AD
Kerberos credentials at all.
But yes, in winsync case these users will be able to login with just a
user name.
>Or after replication, can I use IPA account logon Windows Client PC only
>with ipa username? (only use 'userB' logon, rather than
'userB at ipa_ad.com'
>to logon).
No, synchronization is from AD to IPA, not the other way around. A
change in IPA for the account which was synchronized from AD will be
propagated back to AD but IPA users will not be copied to AD.
--
/ Alexander Bokovoy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130911/4ec8f47a/attachment.htm>
More information about the Freeipa-users
mailing list