[Freeipa-users] FreeIPA as domain controller?
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 18 17:26:27 UTC 2016
On ti, 18 loka 2016, Brian Candler wrote:
>On 17/10/2016 15:52, Alexander Bokovoy wrote:
>>If you set ID range for corresponding AD domain in IPA to be
>>'ipa-ad-trust-posix' and make sure all users that need to logon to IPA
>>have POSIX attributes, then it should work.
>>
>>I think most of this is described in the Windows Integration Guide for
>>RHEL7.
>
>Thank you.
>
>Final question. Suppose I use just the ipa-client package with sssd-ad
>pointing to Samba4 (or even real Windows AD). Is that likely to be a
>satisfactory solution for managing the *nix boxes, or would I be
>better of with two separate domains?
No, it is wrong to use this mode. If you made a Linux machine a client
to IPA, it will be set up to use 'ipa' provider in SSSD and that should
support all needed functionality. You don't need to change anything in
the configuration.
Remember, I pointed you to sssd-ad manual page only to make sure you
would read about ID mapping because this is the place in SSSD
documentation which explains what happens there. I did not ask you to
change IPA client setup to use 'ad' provider in SSSD.
>
>For example, would I lose the features that FreeIPA gives me like
>host-based access controls, sudo controls, central storage of ssh
>public keys?
Yes, you will lose all these features.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list