[Freeipa-users] Sync useradd from IPA to AD

Rich Megginson rmeggins at redhat.com
Mon Jul 20 15:24:12 UTC 2015 

On 07/20/2015 07:02 AM, Email wrote:
> Hi Rich, thanks for the reply.  Here is the link I  working with 
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory-trust.html 
>
>
> I'm looking at both options, the cross forest trust and winsync.  For 
> my project FreeIPA needs to be authoritative wherever possible.  Users 
> need one domain account that works on Linux and Windows.  Why would 
> trusts be a better solution that winsync?  Thanks for your help.

Please keep replies on-list.

In general, any time you don't have to copy information around, and 
ensure that it is in sync, and remains in sync, that is a better 
solution.  Trusts does not copy/sync information, so in general it is 
preferred.

In your case, it seems that you want FreeIPA to be the authoritative 
source of information?  And you want to create new users/groups in 
FreeIPA, and use that information in the AD/Windows environment?  Is 
that correct?

>
> Tony
>
> On Wednesday, July 15, 2015, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 07/15/2015 09:42 AM, Email wrote:
>>     Hi everyone, my name is Tony and this is my first post, so it's
>>     nice to meet all of you. I've been tasked with creating an AD and
>>     FreeIPA environment, and I'm looking into the sync between the
>>     two.  It looks like creating a user in AD causes that user to be
>>     created in IPA, but not the other way around.  But if I create
>>     them in IPA they will not be auto created in AD.  I'm wondering
>>     why this is.
>
>     This is intentional.  If you are using FreeIPA and windows sync,
>     it is assumed you want AD to be the provisioning system for new
>     users, and not FreeIPA.
>
>     I would seriously consider using trusts instead of windows sync.
>
>>     See section 8.1 of the fedora documentation as a reference. 
>
>     Link please?  We may need to clarify the language.
>
>>     Thanks in advance!
>>
>>     ~Tony
>>
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150720/f5761690/attachment.htm>

More information about the Freeipa-users mailing list