> Even when IPA implement GC support, nothing will change: by default any user > that has no explicit > permission in ACLs, gets what is given to all authenticated users, i.e. > default read access. When GC > is there all that will change is that there will be ability to resolve IPA > users on AD side, thus allowing > AD users to assign specific permissions to IPA users.
Agreed. That's close to word for word what I told them. However, the perception that Windows AD trusts Linux IPA scares them, even though Windows admins still have total control over who can see what in their environment. It's all perception because Linux is foreign and Windows is well known on that side of the fence. Something to keep in mind when you build it. Perception drives lots of decisions and they're not always rational. Meantime, I can probably find some Microsoft documentation about what trusts really mean that might make them more comfortable. - Greg -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project