[Freeipa-users] Is WinSync A Bad Choice?
Jason B. Nance
jason at tresgeek.net
Wed Feb 1 21:00:55 UTC 2017
Hello everyone,
I'm about to deploy a fresh IPA domain that needs to integrate with Active Directory. In my lab environment I've setup a trust with AD and the following items are driving me away from using the trust:
- Users can't login to a Linux box using just "username" (user at ad.domain is used)
- Since AD trust users don't show up in FreeIPA web UI users can't login to manage their own SSH keys
- User/group management in general becomes largely a command-line operation (such as mapping groups so they can be used in HBAC and sudo rules)
First, if any of the above is incorrect or there are workarounds I am very much open to discussion.
I'm considering using WinSync+PassSync so that users and groups appear as "real" IPA objects to be managed normally. Given that an entire tool has been written to migrate away from WinSync to AD trusts and language in the RH documentation suggesting to only use WinSync if you have to I'm wondering what issues I'm not considering and if I could be leading toward a world of hurt.
Guidance in this area is appreciated.
Thanks,
j
More information about the Freeipa-users
mailing list