On Wed, 11 Sep 2013, kevint...@umac.mo wrote:
Dear Alexander,

If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will
all user account in Windows AD 'copy' to IPA AD, and my IPA client can
logon with Windows AD username only? (only use 'userA' to login directly,
not 'userA@win_ad.com').
If you are using ipa-replica-prepare against Windows AD, you are using
winsync/passsync which is copying user entries from AD to IPA. In this
case AD users become IPA users. It is not a trust per se, only a
synchronization. In particular, users will not be able to use their AD
Kerberos credentials at all.

But yes, in winsync case these users will be able to login with just a
user name.

Or after replication, can I use IPA account logon Windows Client PC only
with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com'
to logon).
No, synchronization is from AD to IPA, not the other way around. A
change in IPA for the account which was synchronized from AD will be
propagated back to AD but IPA users will not be copied to AD.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to