Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

Wed, 18 May 2016 02:53:51 -0700 

On Wed, 18 May 2016, lejeczek wrote:

On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote:

On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but
> > > is
> > > such a
> > > way so I tap my IPA into specific OU within that AD.
> >
> > I'm not exactly sure what you mean here. Do you want to join a
> > computer
> > which is already a client in an IPA domain to AD as well? If this
> > is
> > the
> > case I would recommend to consider the IPA trust feature. Joining
> > 2
> > domain is in general possible with SSSD but has to be done with
> > very
> > great care, e.g. by using different keytabs for each domain.
> Can IPA domain establish a trust between win AD if IPA admin only
> has
> admin control over an OU in win AD ?

No, you need to be a Domain Admin with full privileges.

many thanks Simo,
when I try user who only has delegated admin/management over a OU I
see:
Active Directory domain administrator's password: 
ipa: ERROR: Insufficient access: CIFS server denied your credentials.

That's correct. You need to be a member of Domain Admins group of the
forest root domain or a member of Enteprise Admins group in the forest.


Would joining an IPA server to winAD with realmd be kind of one way
trust?

No, not at all.

Trust != joining a machine to AD domain.


Is it even possible(with no reasons against doing so) to join IPA
server/domain to AD?

No. A machine in Active Directory can only be a member of a single
domain. It cannot be a servant of two masters.


I mean I did that and I could get AD users IDs but there was some
problem with krb5, config got messed up and daemon would not start.

If you like to enjoy broken configurations, it is up to you. There is
probably a reason why obvious things don't work. If you want to know
more about Active Directory, feel free to read specs at MSDN. Start with
MS-ADTS: https://msdn.microsoft.com/en-us/library/cc223122.aspx

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to