Rich,

>
> In addition to other comments I want to step back and give a bit of a
> bigger picture.
> 1) Regardless of what approach you choose we recommend using the latest
> available version at the moment of deployment.

Good suggestion.  This mean I should use version 3. Problem that would
have to run Fedora 17 and not happy with that option.  Think I may
have to wait for 6.4 before changing current setup as I like the trust
setup more than the sync alternative

> 2) There are two different approached to dealing with AD - sync or
> trust. You need to chose what approach you want to use. Down the road
> there might be some hybrid solutions but so far they are not supported.
>
> Sync: available starting the beginning of the IPA life. It has some
> limitations and we indeed had some issues with the corner cases that
> Steve's environment has. They are not common but you have been warned
> anyways.

Ok

>
> Trust:
> a) Trusts are targeting RHEL 6.4
> b) There is no upgrade from Sync to Trust solution. If you want trusts
> you need to upgrade what you have to 6.4 (or start over) and implement
> trusts there and not do Sync.
> c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise
> the trusts would not work. This also means that if you have other UNIXes
> the trusts would not work there.

That sucks. Would have been better if it only affected IPA server.
Hopes there will not be too many dependencies that would make it
impossible of updating to SSSD 1.9.x.  why is this necessary if I may
ask?  Though most of the changes would be limited to the server side?

Actually, a better question is, whats the difference between sync and
trust?  To me, sync mean pushing the username password pair through
the passsync while trust mean pushing the username and password
through samba4. Is this correct?

>
> If you have UNIX clients that need to be accessed by AD users you might
> explore some hybrid solutions that might work but we can't say for sure.
> For example the sync might actually work in parallel to trusts to some
> extent. There is also PAM pass through capability that comes with 6.4 as
> a tech preview. That would allow  pass through LDAP auth for the non
> SSSD 1.9 clients. But this needs to be tried out and there might be dragons.
>
Interesting, sound scarily to go there.  Thank you
>
>

William
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> End of Freeipa-users Digest, Vol 52, Issue 9
> ********************************************

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to