On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and hoping it is possible to realm join an AD but is > > > such a > > > way so I tap my IPA into specific OU within that AD. > > > > I'm not exactly sure what you mean here. Do you want to join a > > computer > > which is already a client in an IPA domain to AD as well? If this is > > the > > case I would recommend to consider the IPA trust feature. Joining 2 > > domain is in general possible with SSSD but has to be done with very > > great care, e.g. by using different keytabs for each domain. > Can IPA domain establish a trust between win AD if IPA admin only has > admin control over an OU in win AD ?
No, you need to be a Domain Admin with full privileges. > I know very little about AD and only started with IPA - I don't suppose > control of OU delegated to a user makes that user AD admin. It doesn't. > I guess what I'm thinking, asking, is - what would be the correct > possible way to plug in, connect IPA domain to win AD when one has > admin control only over a OU in win AD? Not sure you can even do sync, there isn't really much you can do with those privileges, you are basically just allowed to administer a "group". Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project