On Tue, 2012-06-19 at 13:26 +0100, James Hogarth wrote: > > I wonder if the (very) new IPA AD trust feature could solve at least > > some of your problems. Have a look at > > http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this > > can be tested. > > > > The initial documentation looks like it's describing a full two way > trust - in principal would a one way trust be feasible? > > Allow the AD users (or a selection thereof) access to the systems part > of the IPA domain but not vice versa?
Well, at the moment we only set up a two way trust but the windows admins would certainly be able to delete the outgoing trust right after it is created, it should cause trouble for win users that want to access ipa hosts. We may take an RFE about creating only a one way trust, but it won't be there by 3.0 I think. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users