On Fri, 2015-06-19 at 21:15 +0200, Jakub Hrozek wrote: > On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote: > > Hello, > > > > Forgive me if this is a very basic question, but I have read the > > documentation and am still confused as to what to do. > > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using > > it to manage about 200 users and 90 Scientific Linux workstations, and > > everything works great. Unfortunately I have been told that I must now > > use the University's Active Directory to authenticate all of my users. > > I have read the documentation on FreeIPA / AD integration and am not sure if > > that will meet my requirements. All my Linux users' home directories are > > auto mounted on login from a CentOS 7 NFS server with their bash profiles > > etc. run off that mount. From what I have read it seems to me that > > FreeIPA / AD integration is more focused on getting Windows users to be > > able to log into a Linux machine with access to their Windows folders and > > profiles (oddjob creating a local home directory on the Linux box, etc.) > > I don't want this. All I need is to simply authenticate the user using AD > > (BTW their IPA usernames and AD usernames are the same other than the > > domain) then use the info from FreeIPA as I do now. I don't need any > > folders mounted from the Windows servers. > > Have I completely mis-read the documentation and I can do this by > > integrating FreeIPA and AD? Is there an easy way to do this? I am not a > > Windows AD expert by any means. > > I'm not sure I completely answer your question, but..in case of IPA-AD > trust, the AD users always authenticate against AD, even in case of > password authentication on an IPA box. The passwords are not > synchronized in any way. > > So I guess having the user accounts in AD, but keeping the automount > info, sudo rules etc would satisfy your requirements? > > With the recent 'views' feature, you can set POSIX attributes for IPA > users without touching the AD LDAP schema, even per-host.
Just for clarity: note that use of these features will require an upgrade of your server to the latest Centos 7.2 (when it will be released). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project