Hi, We are currently evaluating FreeIPA (again) for our environment. Our IPA has one-way trusts with two AD domains from two different forests. Most things seem to be working ok so far.
I'm now looking into setting up a samba server on an IPA-joined machine following the instructions in the documentation. This works okay for kerberos authentication (as documented), but not (yet) for username/password authentication. Is this something that is being worked on? Is it on the roadmap for a specific version? Is it technically impossible? It seems that we are in a situation where none of the direct/indirect options seem to work for us :-(. - direct integration with sssd does not support one-way AD trusts from different forests - direct integration with winbind also does not seem to support one-way AD trusts from different forests as it seems to try to use the machine credentials to connect to the domain controllers of the trusted domain but this fails as there is no trust in the other direction. I hoped this would work with idmap_rid but that does not seem to be the case? - indirect integration with ipa is what gets us as close to what we want to achieve as possible, except for this samba issue. Unfortunately this is somewhat of a blocker for us. I don't think our setup is that special, so I'm wondering how other (freeIPA) users are handling this type of setup. Regards, Rik _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
