On Mon, 11 Aug 2014, Daniel Shown wrote:
I'm fairly new to FreeIPA, so can someone give me a sanity check? Should I be able to map AD users in an AD trust to to corresponding FreeIPA users? i.e. Users can auth with their AD credentials and get a FreeIPA uidnumber, gidnumber, home, etc.?
Users from a trusted forest are treated as separate users. They have their own identities and get IDs from either Active Directory (if POSIX compatibility is enabled at AD) or from special ID range allocated for them in IPA.
You can include these users (and groups, it doesn't matter what is what) into special type of groups in IPA, called "external" groups. These groups, in turn, can be members of existing POSIX groups from IPA. If done so, your AD users will become members of appropriate POSIX groups from IPA by means of nested membership. These POSIX groups then can be used to apply SUDO or HBAC rules against AD users. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project