When I've done this in the past, I used mit directly, not IPA. I set up a one 
way trust, then used "shadow objects" for users mapped using 
alternateSecurityID. I've setup the same one way trust testing with freeipa, 
but unfortunately I had to use kadmin.local to do it. I don't know that that's 
actually supported. Simo?

-c

Sent from my iPad

> On May 18, 2016, at 17:19, John Meyers <john+free...@themeyers.us> wrote:
> 
> All,
> 
> FreeIPA as we've discovered has some wonderful Windows integration
> capability, but it is all predicated on Windows AD being the
> authoritative source of user information.  2-Way trusts are great, but
> they only work for kerberotized applications, not native Windows rights
> (that would require FreeIPA to act as global catalog as I learned from
> Alexander).  The winsync capability does not, as it turns out, sync
> native IPA users to AD.
> 
> The million dollar question is if you are 90% Linux shop and FreeIPA is
> your authoritative user repository (AD is a blank slate), how do you
> perform local Windows login authentication for the 10% of Windows
> machines against FreeIPA?
> 
> Thank you all!
> 
> John
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to