Hi Everybody
I need help with recommendation on integration of AD and IPA . Our target is to create an environment with single authentication credentials, while allow preserving user access configuration (sudo / HBAC ) and data permissions via groups independently. We have some Samba setups that need to get information from both systems so we added UID and GID information to AD objects . In our environment we have hundreds of lab desktops and portable devices running Ubuntu and RHEL based OS . While most of user personal devices are Windows based we have some users using Linux as well. I found following ways: Password sync service. My college used it previously and recommended it as solution, but it looks that this way is not under development recently and not recommended for new setups. AD - IPA domains trust. I tested trust between AD and IPA and stuck with issue that we were required to multiply user groups as were unable to get access/sudo without creating POSIX IPA groups . We are using NFS3 with 16 groups limit that significantly limiting us in how many POSIX groups user can be member of . IPA - AD via Radius with LDAP backend. I tested such setup and it was working correctly for online systems, but offline users were unable to login. Offline login is must for our setup as we have user laptops. All my attempts to find solution on this behaviour were not successful and even with Ubuntu 24 that includes SSSD 2.9 that intended to support FAST channel for getting Kerberos ticket offline login failed. Maybe I missed something and there is some better way as I am sure that my setup is similar to many other companies. Looking for any tips or recommendation on the integration of AD and IPA . Thanks. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
