Hello, Jakub!
Could you please tell, what about sssd package in RHEL 6, when we can expect 
the fixes in official updates? Especially with our sensitive fixes (parentheses 
in AD groups names)?

WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: Monday, June 22, 2015 2:27 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA

On Fri, Jun 19, 2015 at 08:15:37PM +0000, David Fitzgerald wrote:
>
>
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Friday, June 19, 2015 3:15 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA
>
> On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote:
> > Hello,
> >
> > Forgive me if this is a very basic question, but I have read the 
> > documentation and am still confused as to what to do.
> > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using
> > it to manage about 200 users and 90 Scientific Linux workstations,
> > and everything works great.  Unfortunately I have been told that I
> > must now use the University's Active Directory to authenticate all of my 
> > users.
> > I have read the documentation on FreeIPA / AD integration and am not
> > sure if that will meet my requirements.  All my Linux users' home
> > directories are auto mounted on login from a CentOS 7 NFS server with their 
> > bash profiles
> > etc. run off that mount.    From what I have read it seems to me that
> > FreeIPA / AD integration is more focused on getting Windows users to
> > be able to log into a Linux machine with access to their Windows
> > folders and profiles (oddjob creating a local home directory on the
> > Linux box, etc.) I don't want this.  All I need is to simply
> > authenticate the user using AD (BTW their IPA usernames and AD
> > usernames are the same other than the
> > domain) then use the info from FreeIPA as I do now. I don't need any
> > folders mounted from the Windows  servers.
> > Have I completely mis-read the documentation and I can do this by 
> > integrating FreeIPA and AD?  Is there an easy way to do this? I am not a 
> > Windows AD expert by any means.
>
> I'm not sure I completely answer your question, but..in case of IPA-AD trust, 
> the AD users always authenticate against AD, even in case of password 
> authentication on an IPA box. The passwords are not synchronized in any way.
>
> So I guess having the user accounts in AD, but keeping the automount info, 
> sudo rules etc would satisfy your requirements?
>
>
> With the recent 'views' feature, you can set POSIX attributes for IPA users 
> without touching the AD LDAP schema, even per-host.
>
>
> This is exactly what I need.

If you are going to experiment with the views, then please note that 
unfortunately some bugs slipped into the 7.1 release. If you encounter 
problems, please either try installing latest packages for SSSD and IPA, make 
sure SSSD is updated also on the server side.

Some SSSD bugs are not planned for patching until 7.2, in that case you might 
need to install upstream packages such as:
    https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/

Some of the bugs are:
    - https://bugzilla.redhat.com/show_bug.cgi?id=1217127
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214719
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214718
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214716
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214337


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

________________________________

Информация в этом сообщении предназначена исключительно для конкретных лиц, 
которым она адресована. В сообщении может содержаться конфиденциальная 
информация, которая не может быть раскрыта или использована кем-либо, кроме 
адресатов. Если вы не адресат этого сообщения, то использование, переадресация, 
копирование или распространение содержания сообщения или его части незаконно и 
запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно 
сообщите отправителю об этом и удалите со всем содержимым само сообщение и 
любые возможные его копии и приложения.

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. The 
contents may not be disclosed or used by anyone other than the addressee. If 
you are not the intended recipient(s), any use, disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it is 
prohibited and may be unlawful. If you have received this communication in 
error please notify us immediately by responding to this email and then delete 
the e-mail and all attachments and any copies thereof.

(c)20mf50

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to