I understand now that attempts to replicate user accounts from AD into 
FreeIPA isn't going to be getting any updates any time soon because the library 
being used to sync is basically defunct.

     I'll start a new thread with my question about FreeIPA Kerberos realm 
trusting an AD Kerberos realm while on the same DNS domain.  I've come across 
some new information that I'd like to check with ya'll.

     Thanks, everyone, for your answers!

--David Alston

-----Original Message-----
[] On Behalf Of Alston, David
Sent: Monday, July 25, 2016 8:24 AM
To: Simo Sorce
Subject: Re: [Freeipa-users] Replicating users/groups from AD


     Yes, I had been hoping there would be a way to incorporate domain trusts 
between Active Directory and FreeIPA while the clients relying on these for 
identity management shared the same DNS domain (eg. and  It sounds like that isn't going to happen.

     Account replication seems like another way for Active Directory users to 
be able to login to servers to use the same username/password for logging in.  
It wouldn't have SSO, but at least a user would be able to use the same 
username/password everywhere.  Replicating user accounts from an external 
AD/LDAP server seems to be built-in, at the moment.  There aren't any plans to 
take that away, is there?  Ideally, I'd want a two way sync so that password 
changes and user group changes are replicated back to AD as well.

--David Alston

-----Original Message-----
From: Simo Sorce []
Sent: Friday, July 22, 2016 10:49 AM
To: Alston, David
Subject: Re: [Freeipa-users] Replicating users/groups from AD

On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote:
> Greetings!
>      I realize that FreeIPA is supposed to be setup as master of its 
> own domain, but are there any plans to continue the account 
> replication functionality that has already been in FreeIPA?  I had 
> heard rumor that it would be possible to have FreeIPA and Active 
> Directory coexist in the same domain in some release in the future.
> Am I waiting for a feature that will never come?

Hi David,
in order to respond to your question an idea of what are your expectations 
would is needed.

If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they 
will never coexists.

If by Domain you mean DNS Domain read then FreeIPA can work in the same domain 
as AD but only if you do not care for them interacting (at the kerberos level, 
no trusts, no SSO).
You can basically have only one association between a DNS domain and a Realm, 
and a DNS domain is either going to be associated to the AD Domain server or to 
the IPA Domain.

Synchronization, however is a completely unrelated topic, and I can't give you 
an answer on that side as I do not understand how it would
relate to the coexistence of FreeIPA and AD in a single DNS domain.   


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to