On Wed, 18 May 2016, John Meyers wrote:
FreeIPA as we've discovered has some wonderful Windows integration
capability, but it is all predicated on Windows AD being the
authoritative source of user information. 2-Way trusts are great, but
they only work for kerberotized applications, not native Windows rights
(that would require FreeIPA to act as global catalog as I learned from
Alexander). The winsync capability does not, as it turns out, sync
native IPA users to AD.
The million dollar question is if you are 90% Linux shop and FreeIPA is
your authoritative user repository (AD is a blank slate), how do you
perform local Windows login authentication for the 10% of Windows
machines against FreeIPA?
As I said before, we currently don't have answer to this question.
Development work still continues. Some people were able to do logins
with 'REALM\Username' but then assigning permissions does not work
anyway in Windows due to lack of GC support on IPA side.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project