[Freeipa-users] a user delegated to control a OU and realmd join - how..
lejeczek
peljasz at yahoo.co.uk
Wed May 18 09:32:49 UTC 2016
On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote:
> On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > > .. if possible, would you know?
> > > > hi everybody,
> > > > I'm trying, and hoping it is possible to realm join an AD but
> > > > is
> > > > such a
> > > > way so I tap my IPA into specific OU within that AD.
> > >
> > > I'm not exactly sure what you mean here. Do you want to join a
> > > computer
> > > which is already a client in an IPA domain to AD as well? If this
> > > is
> > > the
> > > case I would recommend to consider the IPA trust feature. Joining
> > > 2
> > > domain is in general possible with SSSD but has to be done with
> > > very
> > > great care, e.g. by using different keytabs for each domain.
> > Can IPA domain establish a trust between win AD if IPA admin only
> > has
> > admin control over an OU in win AD ?
>
> No, you need to be a Domain Admin with full privileges.
many thanks Simo,
when I try user who only has delegated admin/management over a OU I
see:
Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server denied your credentials.
Would joining an IPA server to winAD with realmd be kind of one way
trust?
Is it even possible(with no reasons against doing so) to join IPA
server/domain to AD?
I mean I did that and I could get AD users IDs but there was some
problem with krb5, config got messed up and daemon would not start.
> >
> > I know very little about AD and only started with IPA - I don't suppose
> > control of OU delegated to a user makes that user AD admin.
> >
>
>
> It doesn't.
>
>
> >
> > I guess what I'm thinking, asking, is - what would be the correct
> > possible way to plug in, connect IPA domain to win AD when one has
> > admin control only over a OU in win AD?
> >
>
>
> Not sure you can even do sync, there isn't really much you can do with
> those privileges, you are basically just allowed to administer a
> "group".
>
> Simo.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160518/c88a2c86/attachment.htm>
More information about the Freeipa-users
mailing list