[Freeipa-users] Mixing local FreeIPA users with active directory users
Sumit Bose
sbose at redhat.com
Fri Nov 21 08:52:35 UTC 2014
On Thu, Nov 20, 2014 at 07:42:30PM -0500, Dmitri Pal wrote:
> On 11/20/2014 07:38 PM, William Muriithi wrote:
> >?Hi guys,
> >
> >I am wondering how one would go about allowing both ad users and FreeIPA
> >user to work in harmony.
> >
> >I recently was able to get FreeIPA to use trust to service unix systems.
> >However, I encountered resistance as some people didn't like the long
> >username, for example, username at domain.local@dev1.example.com. ? So I
> >created local accounts and forced everyone back to FreeIPA users.
I'm wondering why you need this very long names with the double @-sign.
Typically you should be able to use aduser at AD.DOMAIN or ADSHORT\aduser
as you have to do with Windows when accessing trusted forests.
> >
> >Some people didn't mind the name format and would prefer a single username
> >everywhere. So now things are a bit cool, am investigating if these
> >accounts can coexist and would like it to be up to the user's which
> >account the will use
> >
> >When I check id when logged in on with ad account, I don't ? see the group
> >developer, but see developers at example.local. This is a problem since I
> >can't assign files to two groups, something I need as they have files they
> >all have change. I also need both users to have SUDO access, this is fine
> >as I can just duplicate SUDO commands one for developers group and another
> >for developers at example.local
> >
> >
> >How would one fix file sharing between ad and FreeIPA users?
You can put AD groups into IPA groups via a special IPA group you can
create with the --external option. To this group you can add an AD group
and then you can put this group into any other IPA POSIX group. Now you
can use this IPA POSIX group to grant access to all IPA and AD users
which are members of the related groups.
HTH
bye,
Sumit
> >
> >I don't think one can put a group within another group? Or am I wrong on
> >that? Google results seem negative
> >
> >Thanks for advice
> >
> >William
> >
> >
> >
> Check this
> http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
> I think you might want to consider views and override names there.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list