On Fri, May 31, 2013 at 06:52:27AM +0000, Ondrej Valousek wrote:
> Hi List,
> I have a question - is it possible to use AD trust the way that:
> 1. All users are stored in AD
> 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are
> stored in IPA?
Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
I can see no issues.
> If yes then:
> 1. Will this scenario honour the RFC2307 user attributes in AD?
We are trying to support RFC2307 attributes in AD with the next releases
for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
AD user's RID is available.
> 2. How is the best way to implement this? Imagine AD realm EXAMPLE.COM. Which
> realm I should chose for IPA? How about DNS?
The only requirement is to use a different DNS domain to make Kerberos
work properly. I would always recommend to use the IPA DNS server to
manage the IPA domain and add delegation and glue record from an to
other domains. See
> Freeipa-users mailing list
Freeipa-users mailing list