[Freeipa-users] ntGroup MUST ntUserDomainId?

[Martin Kosek]

On 03/04/2015 02:33 PM, Hugh wrote:
> On 3/4/2015 2:00 AM, Martin Kosek wrote:
>> On 03/04/2015 04:57 AM, Hugh wrote:
>> Hello Hugh,
>>
>> Before you dive in further in the FreeIPA winsync and groups, please note that
>> FreeIPA does not support group sync from/to AD and there are no plans for
>> adding that capability. We are focusing on AD Trusts instead, as *the* way for
>> cooperation with AD. This is related upstream ticket with similar request, just
>> different direction:
>>
>> https://fedorahosted.org/freeipa/ticket/3946
> 
> We would prefer to use trusts and I tried that first, but then I
> discovered that logging into Windows workstations joined to the AD
> domain with IPA user accounts is not supported due to lack of a Global
> Catalog. Therefore, I had to resort to using a synch instead.

I see.

> I'm assuming that implementing a Global Catalog will take a while, so
> I'd probably suggest/request that feature additions to synch agreements
> not be closed off.

We are mostly not closing it off, if there is a contribution from the community
for the said feature, we will not reject it just because it is winsync feature.
But adding group support to winsync plugin is a non-trivial development effort
and we would rather focus on the said Global Catalog support which is a better
choice long run.

I am now thinking how could your use case be worked around without significant
development. I can only think of having parallel script polling the new/updated
LDAP groups (based on modify time) and then uploading them to AD with adcli for
example (http://www.freedesktop.org/software/realmd/adcli/adcli.html). But this
is suboptimal, yes.

Martin