[Freeipa-users] question on Active Directory and FreeIPA

[Jakub Hrozek]

On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote:
> Hello,
> 
> Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do.
> Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using
> it to manage about 200 users and 90 Scientific Linux workstations, and
> everything works great.  Unfortunately I have been told that I must now
> use the University's Active Directory to authenticate all of my users.
> I have read the documentation on FreeIPA / AD integration and am not sure if
> that will meet my requirements.  All my Linux users' home directories are
> auto mounted on login from a CentOS 7 NFS server with their bash profiles
> etc. run off that mount.    From what I have read it seems to me that
> FreeIPA / AD integration is more focused on getting Windows users to be
> able to log into a Linux machine with access to their Windows folders and
> profiles (oddjob creating a local home directory on the Linux box, etc.)
> I don't want this.  All I need is to simply authenticate the user using AD
> (BTW their IPA usernames and AD usernames are the same other than the
> domain) then use the info from FreeIPA as I do now. I don't need any
> folders mounted from the Windows  servers.
> Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD?  Is there an easy way to do this? I am not a Windows AD expert by any means.

I'm not sure I completely answer your question, but..in case of IPA-AD
trust, the AD users always authenticate against AD, even in case of
password authentication on an IPA box. The passwords are not
synchronized in any way.

So I guess having the user accounts in AD, but keeping the automount
info, sudo rules etc would satisfy your requirements?

With the recent 'views' feature, you can set POSIX attributes for IPA
users without touching the AD LDAP schema, even per-host.