<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 17/10/2016 15:06, Alexander Bokovoy
wrote:<br>
</div>
<blockquote cite="mid:20161017140609.bkzaneja3oukmrtg@redhat.com"
type="cite">
<blockquote type="cite" style="color: #000000;">Would there be any
benefit the other way round - creating identities in S4 and
using them to login to FreeIPA-joined *nix boxes? I guess the
problem then is where posix attributes like uid and gid come
from.
<br>
</blockquote>
This works for Samba AD > 4.4. The code in Samba that supports
forest
<br>
trust is a bit new (and was written by Red Hat's request) so
depending
<br>
on what version you are using your experience will vary.
<br>
<br>
IPA supports different methods for mapping IDs, including
algorithmic
<br>
ones. We default to algorithmic ID range if existing POSIX IDs
aren't
<br>
found.
<br>
<br>
See ID MAPPING section in sssd-ad man page for details. You don't
need
<br>
to configure anything in SSSD, though, because it is done
automatically
<br>
based on the ID ranges in IPA.
</blockquote>
<p>OK, but let me just see if I can clarify. Given the following
scenario:<br>
</p>
<pre>
SAMBA . . . . . . FREEIPA
| |
USER SERVER
</pre>
<p>The server isn't joined directly to the Samba domain, but the
manpage for sssd-ad says "This provider requires that the machine
be joined to the AD domain".</p>
<p>So is it true that:<br>
</p>
<p>1. The server is not configured to use sssd-ad? Does it
automatically use this module if, because of trust relationships,
a user from the Samba domain logs into it? Would it need
configuration, or does it pick up everything it needs from the
DNS?<br>
</p>
2. If I create the posix uids/gids as extra attributes in the Samba
domain, the algorithmic ID mapping isn't required?
<p>Thanks,</p>
<p>Brian.<br>
</p>
</body>
</html>