On 07/20/2015 07:02 AM, Email wrote:
Hi Rich, thanks for the reply. Here is the link I working with https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory-trust.html

I'm looking at both options, the cross forest trust and winsync. For my project FreeIPA needs to be authoritative wherever possible. Users need one domain account that works on Linux and Windows. Why would trusts be a better solution that winsync? Thanks for your help.

Please keep replies on-list.

In general, any time you don't have to copy information around, and ensure that it is in sync, and remains in sync, that is a better solution. Trusts does not copy/sync information, so in general it is preferred.

In your case, it seems that you want FreeIPA to be the authoritative source of information? And you want to create new users/groups in FreeIPA, and use that information in the AD/Windows environment? Is that correct?


On Wednesday, July 15, 2015, Rich Megginson <rmegg...@redhat.com <mailto:rmegg...@redhat.com>> wrote:

    On 07/15/2015 09:42 AM, Email wrote:
    Hi everyone, my name is Tony and this is my first post, so it's
    nice to meet all of you. I've been tasked with creating an AD and
    FreeIPA environment, and I'm looking into the sync between the
    two.  It looks like creating a user in AD causes that user to be
    created in IPA, but not the other way around.  But if I create
    them in IPA they will not be auto created in AD.  I'm wondering
    why this is.

    This is intentional.  If you are using FreeIPA and windows sync,
    it is assumed you want AD to be the provisioning system for new
    users, and not FreeIPA.

    I would seriously consider using trusts instead of windows sync.

See section 8.1 of the fedora documentation as a reference.

    Link please?  We may need to clarify the language.

    Thanks in advance!


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to