[Freeipa-users] Replicating users/groups from AD

Petr Spacek pspacek at redhat.com
Mon Jul 25 13:50:54 UTC 2016 

On 25.7.2016 15:30, Simo Sorce wrote:
> On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote:
>> Greetings!
>>
>>      Yes, I had been hoping there would be a way to incorporate domain
>> trusts between Active Directory and FreeIPA while the clients relying
>> on these for identity management shared the same DNS domain (eg.
>> linux.company.com and windows.company.com).  It sounds like that isn't
>> going to happen.
> 
> These are two different domains, as long as linuc.company.com is used
> only by freeIPA this configuration is already supported via trust
> relationship.

Let me add that there are workarounds for other cases as well:
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/

Petr^2 Spacek


> 
>>      Account replication seems like another way for Active Directory
>> users to be able to login to servers to use the same username/password
>> for logging in.  It wouldn't have SSO, but at least a user would be
>> able to use the same username/password everywhere.  Replicating user
>> accounts from an external AD/LDAP server seems to be built-in, at the
>> moment.  There aren't any plans to take that away, is there?  Ideally,
>> I'd want a two way sync so that password changes and user group
>> changes are replicated back to AD as well.
> 
> winsync is not being further developed but we have no plans to take it
> away.
> 
> Simo.
> 
>> --David Alston
>>
>> -----Original Message-----
>> From: Simo Sorce [mailto:simo at redhat.com] 
>> Sent: Friday, July 22, 2016 10:49 AM
>> To: Alston, David
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Replicating users/groups from AD
>>
>> On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote:
>>> Greetings!
>>
>>>
>>
>>>      I realize that FreeIPA is supposed to be setup as master of its 
>>
>>> own domain, but are there any plans to continue the account 
>>
>>> replication functionality that has already been in FreeIPA?  I had 
>>
>>> heard rumor that it would be possible to have FreeIPA and Active 
>>
>>> Directory coexist in the same domain in some release in the future.
>>
>>> Am I waiting for a feature that will never come?
>>
>>
>> Hi David,
>> in order to respond to your question an idea of what are your expectations would is needed.
>>
>> If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they will never coexists.
>>
>> If by Domain you mean DNS Domain read then FreeIPA can work in the same domain as AD but only if you do not care for them interacting (at the kerberos level, no trusts, no SSO).
>> You can basically have only one association between a DNS domain and a Realm, and a DNS domain is either going to be associated to the AD Domain server or to the IPA Domain.
>>
>> Synchronization, however is a completely unrelated topic, and I can't give you an answer on that side as I do not understand how it would
>> relate to the coexistence of FreeIPA and AD in a single DNS domain.   
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list