So here's the situation I'm in. The university has its AD domain locked down pretty tight -- getting a trust is out of the question, creating new users isn't allowed, and they seem to have no interest in supporting linux management.

I'd like to be able to leverage the AD kerberos server but manage users locally.

So here's what I'm thinking about doing: putting my site users/groups and copies of the relevant AD users into IPA. The site users would have UIDs > 1 billion and the users from AD would have whatever unixuid attribute they have (only the uid is stored in AD -- they didn't do a full posix setup). The IDs will not conflict with each other, so I'm set there.

I'd have two entries in sssd.conf: one entry would have a min/max id matching the AD users and the other would be 1 billion+ to match the local users/groups. The AD range would use the university's AD kerberos for authentication and IPA for everything else. The other would use IPA normally.

I was able to get this working successfully when setting up 389 manually by using two nearly identical configs in sssd and making the AD one resolve first, but I can't seem to figure out the magic chant for making it work with IPA.

So, is something like this even possible? Is there a better way to be able to use IPA and stay out of the password business for the real users of my system? If it comes down to it, I'll manually set up 389 and do it the way I prototyped it, but I'd really like to have something resembling a "standard" build. This is all on RHEL6. If a newer version of IPA is required I'd be ok with installing it.


Freeipa-users mailing list

Reply via email to