----- Mail original -----

> De: "Alexander Bokovoy" <>
> À: "Nicolas Zin" <>
> Cc:,
> Envoyé: Jeudi 12 Février 2015 12:57:07
> Objet: Re: [Freeipa-users] ad relation with winsync
> On Thu, 12 Feb 2015, Nicolas Zin wrote:
>>> The is is treated as the ultimate source so adds should go only from AD
>>> to IPA but you need the modify to work both ways otherwise your account
>>> state will get out of sync.
>>> Whatever is required by docs is the minimal privilege you need to have
>>> to sync users.
>>> However did you consider trust?
>>> It us a two way trust but it acts as a one way trust.
>>I know, but my customer don't want a two-way trust, whatever it means:
>>- it fear some security concern with a two-way.
> We've been through this multiple times, check freeipa-users@ archives
> for arguments for and against.
>> - if he migrates its AD into new version or new topology, he fears to 
>> encounter some migration path issue
> Cross-forest trust is the standard feature of AD, we foresee no
> migration path issues and it works with everything from Windows Server
> 2003 to Windows Server 2012R2 (though Red Hat only supports cross-forest trust
> starting with Windows Server 2008 onwards but this is mostly because
> 2003 is already out of support by Microsoft).

I guess the client will change from mind when he will see the deployment
 (and maintenance) cost to install the password sync agent on all DC, and
 the need to reboot their DC.
This is why we are in an PoC for the moment :-)
I will try to see their points, and clarify the situation.

For the arguments

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to