[Freeipa-users] Two way A/D trust versus one way trust

[Alexander Bokovoy]

On Tue, 16 Sep 2014, Greg Scott wrote:
>> Even when IPA implement GC support, nothing will change: by default any user that has no explicit
>> permission in ACLs, gets what is given to all authenticated users, i.e. default read access. When GC
>> is there all that will change is that there will be ability to resolve IPA users on AD side, thus allowing
>> AD users to assign specific permissions to IPA users.
>
>Agreed.  That's close to word for word what I told them.  However, the
>perception that Windows AD trusts Linux IPA scares them, even though
>Windows admins still have total control over who can see what in their
>environment.  It's all perception because Linux is foreign and Windows
>is well known on that side of the fence.  Something to keep in mind
>when you build it.  Perception drives lots of decisions and they're not
>always rational.  Meantime, I can probably find some Microsoft
>documentation about what trusts really mean that might make them more
>comfortable.
My experience shows that many (by large, unfortunately) Windows
administrators have scarce technical knowledge of how things
actually work behind the scenes and facades of Windows UIs.

You are absolutely spot on with the perception thing.

On a brighter note, Microsoft protocol documentation team does wonderful
job of maintaining specifications for AD protocols. There are occasional
issues which require clarifications but collaboration with Samba Team
over past seven years is tremendous.

-- 
/ Alexander Bokovoy