[Freeipa-users] FreeIPA as domain controller?
Alexander Bokovoy
abokovoy at redhat.com
Mon Oct 17 14:06:09 UTC 2016
On ma, 17 loka 2016, Brian Candler wrote:
>On 17/10/2016 11:14, Alexander Bokovoy wrote:
>>We are not yet at the point you could use IPA-hosted identities to login
>>to Windows machines joined to AD, though, regardless which AD
>>implementation it is.
>>
>That's very helpful, thank you. So basically it means that for the
>time being, our admins will need two identities (one in each realm)
>and there is not much benefit in setting up cross-realm trust.
>
>Would there be any benefit the other way round - creating identities
>in S4 and using them to login to FreeIPA-joined *nix boxes? I guess
>the problem then is where posix attributes like uid and gid come from.
This works for Samba AD > 4.4. The code in Samba that supports forest
trust is a bit new (and was written by Red Hat's request) so depending
on what version you are using your experience will vary.
IPA supports different methods for mapping IDs, including algorithmic
ones. We default to algorithmic ID range if existing POSIX IDs aren't
found.
See ID MAPPING section in sssd-ad man page for details. You don't need
to configure anything in SSSD, though, because it is done automatically
based on the ID ranges in IPA.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list