On 25.7.2016 15:30, Simo Sorce wrote:
> On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote:
>> Greetings!
>>
>>      Yes, I had been hoping there would be a way to incorporate domain
>> trusts between Active Directory and FreeIPA while the clients relying
>> on these for identity management shared the same DNS domain (eg.
>> linux.company.com and windows.company.com).  It sounds like that isn't
>> going to happen.
> 
> These are two different domains, as long as linuc.company.com is used
> only by freeIPA this configuration is already supported via trust
> relationship.

Let me add that there are workarounds for other cases as well:
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/

Petr^2 Spacek


> 
>>      Account replication seems like another way for Active Directory
>> users to be able to login to servers to use the same username/password
>> for logging in.  It wouldn't have SSO, but at least a user would be
>> able to use the same username/password everywhere.  Replicating user
>> accounts from an external AD/LDAP server seems to be built-in, at the
>> moment.  There aren't any plans to take that away, is there?  Ideally,
>> I'd want a two way sync so that password changes and user group
>> changes are replicated back to AD as well.
> 
> winsync is not being further developed but we have no plans to take it
> away.
> 
> Simo.
> 
>> --David Alston
>>
>> -----Original Message-----
>> From: Simo Sorce [mailto:s...@redhat.com] 
>> Sent: Friday, July 22, 2016 10:49 AM
>> To: Alston, David
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Replicating users/groups from AD
>>
>> On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote:
>>> Greetings!
>>
>>>
>>
>>>      I realize that FreeIPA is supposed to be setup as master of its 
>>
>>> own domain, but are there any plans to continue the account 
>>
>>> replication functionality that has already been in FreeIPA?  I had 
>>
>>> heard rumor that it would be possible to have FreeIPA and Active 
>>
>>> Directory coexist in the same domain in some release in the future.
>>
>>> Am I waiting for a feature that will never come?
>>
>>
>> Hi David,
>> in order to respond to your question an idea of what are your expectations 
>> would is needed.
>>
>> If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they 
>> will never coexists.
>>
>> If by Domain you mean DNS Domain read then FreeIPA can work in the same 
>> domain as AD but only if you do not care for them interacting (at the 
>> kerberos level, no trusts, no SSO).
>> You can basically have only one association between a DNS domain and a 
>> Realm, and a DNS domain is either going to be associated to the AD Domain 
>> server or to the IPA Domain.
>>
>> Synchronization, however is a completely unrelated topic, and I can't give 
>> you an answer on that side as I do not understand how it would
>> relate to the coexistence of FreeIPA and AD in a single DNS domain.   
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to