On Fri, 19 Feb 2016, Mike Kelly wrote:
Ahha! I seem to have gotten somewhere now!

I just re-applied the view to my host, restarted sssd and cleared its
cache, and it's now picking up my overridden UID and GID! (I had to
manually add an entry for the overridden GID to /etc/group, because FreeIPA
won't let me override the private user groups.)

One odd caveat, but perhaps this is part of the design... if I do a `getent
$IPA_UID` or `getent $OVERRIDE_UID`... both give the same output, my user
with the overridden UID. I'd expect the first one to just give no result?
That's by design.

One side question, though... now that I have done half of the work for an
AD trust... is it possible for me to make my FreeIPA server into an AD
controller for the one Windows box in my house? Some searching I did before
indicated no, in part because Samba required Heimdal instead of MIT
Kerberos... is that still true?
Yes and no. FreeIPA cannot be made an AD controller and even when we
complete porting Samba AD to use MIT Kerberos, that will not change as
Samba AD is using its own, completely separate, data store and cannot be
made using an external LDAP server for that. Samba AD is a special mode
in Samba, different from a traditional domain controller mode used by

So while you are able to join your Windows machine to Samba AD with
Heimdal now or with MIT Kerberos in future, this will be a join to a
totally separate domain.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to