On 03/04/2015 02:33 PM, Hugh wrote: > On 3/4/2015 2:00 AM, Martin Kosek wrote: >> On 03/04/2015 04:57 AM, Hugh wrote: >> Hello Hugh, >> >> Before you dive in further in the FreeIPA winsync and groups, please note >> that >> FreeIPA does not support group sync from/to AD and there are no plans for >> adding that capability. We are focusing on AD Trusts instead, as *the* way >> for >> cooperation with AD. This is related upstream ticket with similar request, >> just >> different direction: >> >> https://fedorahosted.org/freeipa/ticket/3946 > > We would prefer to use trusts and I tried that first, but then I > discovered that logging into Windows workstations joined to the AD > domain with IPA user accounts is not supported due to lack of a Global > Catalog. Therefore, I had to resort to using a synch instead.
I see. > I'm assuming that implementing a Global Catalog will take a while, so > I'd probably suggest/request that feature additions to synch agreements > not be closed off. We are mostly not closing it off, if there is a contribution from the community for the said feature, we will not reject it just because it is winsync feature. But adding group support to winsync plugin is a non-trivial development effort and we would rather focus on the said Global Catalog support which is a better choice long run. I am now thinking how could your use case be worked around without significant development. I can only think of having parallel script polling the new/updated LDAP groups (based on modify time) and then uploading them to AD with adcli for example (http://www.freedesktop.org/software/realmd/adcli/adcli.html). But this is suboptimal, yes. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project