Hi Aleksander and Tomas, thanks for quick responses! I find trust-based solution more advanced but also more complicated - two sites, one with FreeIPA and other with AD domain, limited communication from FreeIPA to AD site, FreeIPA not aware of AD sites, questionable use of RODCs and Kerberos which heavily depends on DNS. Acceptable solution would be public key login for my AD users but they are not able to log in to Free IPA web UI to update their SSH keys. So Winsync seems like simpler solution here.
Regards, Srdjan. On Tue, Oct 27, 2015 at 6:20 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 27 Oct 2015, Tomas Babej wrote: > >> >> >> On 10/27/2015 05:51 PM, Srdjan Dutina wrote: >> >>> Hi! >>> >>> >> Hello Srdjan, >> >> Is syncing (winsync) users and passwords from MS Active Directory >>> deprecated in FreeIPA 4.x? >>> If not, is there some documentation on how to use it? >>> >>> >> Winsync synchronization is not deprecated as of now, but we are trying >> to move away from it in favor of the trust-based solution. I would >> certainly encourage you to try that before using winsync. >> > Documentation is in the 'Windows Integration Guide': > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html > > Chapter 7 covers winsync. > > Additionaly, when using FreeIPA - AD trust, is it possible for user from >>> trusted domain to log on to FreeIPA web UI? >>> >> >> Yes. >> > No. AD users cannot login to web UI. We are planning to add this > possibility in FreeIPA 4.4 or around that time, to allow AD users to > manage parts of their ID overrides. > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project