On Tue, 16 Sep 2014, Greg Scott wrote:
Even when IPA implement GC support, nothing will change: by default any user
that has no explicit
permission in ACLs, gets what is given to all authenticated users, i.e. default
read access. When GC
is there all that will change is that there will be ability to resolve IPA
users on AD side, thus allowing
AD users to assign specific permissions to IPA users.
Agreed. That's close to word for word what I told them. However, the
perception that Windows AD trusts Linux IPA scares them, even though
Windows admins still have total control over who can see what in their
environment. It's all perception because Linux is foreign and Windows
is well known on that side of the fence. Something to keep in mind
when you build it. Perception drives lots of decisions and they're not
always rational. Meantime, I can probably find some Microsoft
documentation about what trusts really mean that might make them more
My experience shows that many (by large, unfortunately) Windows
administrators have scarce technical knowledge of how things
actually work behind the scenes and facades of Windows UIs.
You are absolutely spot on with the perception thing.
On a brighter note, Microsoft protocol documentation team does wonderful
job of maintaining specifications for AD protocols. There are occasional
issues which require clarifications but collaboration with Samba Team
over past seven years is tremendous.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project