I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory 
(ad.angelsofclockwork.net) and put them into a two way trust with posix. I used 
these commands:

ipa-adtrust-install --enable-compat --add-agents
ipa trust-add --type=ad ad.angelsofclockwork.net --admin lmabel --password 
--two-way=true --range-type=ipa-ad-trust-posix

The users in AD have posix attributes assigned and those attributes are in the 
global catalog. My linux clients can see the AD users when I do a getent passwd 
u...@ad.angelsofclockwork.net. So this is working as intended. 

http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 - I 
used this guide to add our first mac to FreeIPA rather than AD. This guide 
worked for the most part, but I cannot get it to see the users across the trust 
boundary. I'm sure I'm either missing something or mac's open directory utility 
doesn't support trusts like we would think it should.

[root@sani ~]# dscacheutil -q user -a name admin
name: admin
password: ********
uid: 931600000
gid: 931600000
dir: /Users/admin
shell: /bin/bash
gecos: Administrator

[root@sani ~]# dscacheutil -q user -a name louis.abel
[root@sani ~]# dscacheutil -q user -a name louis.a...@ad.angelsofclockwork.net

Anyone have any suggestions? Or will I have to just connect my mac to AD and 
work with it that way? I was trying to avoid having to add to AD, but it seems 
like I'm going to have to go that route. Unless anyone has experience with 
getting it to work across trusts. From my research it seems others have tried 
to solve the 'trust' problem when there's two AD domains involved, not an IPA 
and AD domain. So it seems like a mac specific problem perhaps. 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to