[Freeipa-users] ID Views without AD
Alexander Bokovoy
abokovoy at redhat.com
Fri Feb 19 12:20:52 UTC 2016
On Fri, 19 Feb 2016, Mike Kelly wrote:
>Ahha! I seem to have gotten somewhere now!
>
>I just re-applied the view to my host, restarted sssd and cleared its
>cache, and it's now picking up my overridden UID and GID! (I had to
>manually add an entry for the overridden GID to /etc/group, because FreeIPA
>won't let me override the private user groups.)
>
>One odd caveat, but perhaps this is part of the design... if I do a `getent
>$IPA_UID` or `getent $OVERRIDE_UID`... both give the same output, my user
>with the overridden UID. I'd expect the first one to just give no result?
That's by design.
>----
>One side question, though... now that I have done half of the work for an
>AD trust... is it possible for me to make my FreeIPA server into an AD
>controller for the one Windows box in my house? Some searching I did before
>indicated no, in part because Samba required Heimdal instead of MIT
>Kerberos... is that still true?
Yes and no. FreeIPA cannot be made an AD controller and even when we
complete porting Samba AD to use MIT Kerberos, that will not change as
Samba AD is using its own, completely separate, data store and cannot be
made using an external LDAP server for that. Samba AD is a special mode
in Samba, different from a traditional domain controller mode used by
FreeIPA.
So while you are able to join your Windows machine to Samba AD with
Heimdal now or with MIT Kerberos in future, this will be a join to a
totally separate domain.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list