On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but is
> > > such a
> > > way so I tap my IPA into specific OU within that AD.
> > 
> > I'm not exactly sure what you mean here. Do you want to join a
> > computer
> > which is already a client in an IPA domain to AD as well? If this is
> > the
> > case I would recommend to consider the IPA trust feature. Joining 2
> > domain is in general possible with SSSD but has to be done with very
> > great care, e.g. by using different keytabs for each domain.
> Can IPA domain establish a trust between win AD if IPA admin only has
> admin control over an OU in win AD ?

No, you need to be a Domain Admin with full privileges.

> I know very little about AD and only started with IPA - I don't suppose
> control of OU delegated to a user makes that user AD admin.

It doesn't.

> I guess what I'm thinking, asking, is - what would be the correct
> possible way to plug in, connect IPA domain to win AD when one has
> admin control only over a OU in win AD?

Not sure you can even do sync, there isn't really much you can do with
those privileges, you are basically just allowed to administer a


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to