[Freeipa-users] FreeIPA as domain controller?
Brian Candler
b.candler at pobox.com
Mon Oct 17 14:23:57 UTC 2016
On 17/10/2016 15:06, Alexander Bokovoy wrote:
>> Would there be any benefit the other way round - creating identities
>> in S4 and using them to login to FreeIPA-joined *nix boxes? I guess
>> the problem then is where posix attributes like uid and gid come from.
> This works for Samba AD > 4.4. The code in Samba that supports forest
> trust is a bit new (and was written by Red Hat's request) so depending
> on what version you are using your experience will vary.
>
> IPA supports different methods for mapping IDs, including algorithmic
> ones. We default to algorithmic ID range if existing POSIX IDs aren't
> found.
>
> See ID MAPPING section in sssd-ad man page for details. You don't need
> to configure anything in SSSD, though, because it is done automatically
> based on the ID ranges in IPA.
OK, but let me just see if I can clarify. Given the following scenario:
SAMBA . . . . . . FREEIPA
| |
USER SERVER
The server isn't joined directly to the Samba domain, but the manpage
for sssd-ad says "This provider requires that the machine be joined to
the AD domain".
So is it true that:
1. The server is not configured to use sssd-ad? Does it automatically
use this module if, because of trust relationships, a user from the
Samba domain logs into it? Would it need configuration, or does it pick
up everything it needs from the DNS?
2. If I create the posix uids/gids as extra attributes in the Samba
domain, the algorithmic ID mapping isn't required?
Thanks,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161017/d1c572d5/attachment.htm>
More information about the Freeipa-users
mailing list