[Freeipa-users] Two way A/D trust versus one way trust

[Dmitri Pal]

On 09/16/2014 11:49 AM, Alexander Bokovoy wrote:
> On Tue, 16 Sep 2014, Greg Scott wrote:
>>> Even when IPA implement GC support, nothing will change: by default 
>>> any user that has no explicit
>>> permission in ACLs, gets what is given to all authenticated users, 
>>> i.e. default read access. When GC
>>> is there all that will change is that there will be ability to 
>>> resolve IPA users on AD side, thus allowing
>>> AD users to assign specific permissions to IPA users.
>>
>> Agreed.  That's close to word for word what I told them. However, the
>> perception that Windows AD trusts Linux IPA scares them, even though
>> Windows admins still have total control over who can see what in their
>> environment.  It's all perception because Linux is foreign and Windows
>> is well known on that side of the fence.  Something to keep in mind
>> when you build it.  Perception drives lots of decisions and they're not
>> always rational.  Meantime, I can probably find some Microsoft
>> documentation about what trusts really mean that might make them more
>> comfortable.
> My experience shows that many (by large, unfortunately) Windows
> administrators have scarce technical knowledge of how things
> actually work behind the scenes and facades of Windows UIs.
>
> You are absolutely spot on with the perception thing.
>
> On a brighter note, Microsoft protocol documentation team does wonderful
> job of maintaining specifications for AD protocols. There are occasional
> issues which require clarifications but collaboration with Samba Team
> over past seven years is tremendous.
>
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.