On ti, 18 loka 2016, Brian Candler wrote:
On 17/10/2016 15:52, Alexander Bokovoy wrote:
If you set ID range for corresponding AD domain in IPA to be
'ipa-ad-trust-posix' and make sure all users that need to logon to IPA
have POSIX attributes, then it should work.
I think most of this is described in the Windows Integration Guide for
Final question. Suppose I use just the ipa-client package with sssd-ad
pointing to Samba4 (or even real Windows AD). Is that likely to be a
satisfactory solution for managing the *nix boxes, or would I be
better of with two separate domains?
No, it is wrong to use this mode. If you made a Linux machine a client
to IPA, it will be set up to use 'ipa' provider in SSSD and that should
support all needed functionality. You don't need to change anything in
Remember, I pointed you to sssd-ad manual page only to make sure you
would read about ID mapping because this is the place in SSSD
documentation which explains what happens there. I did not ask you to
change IPA client setup to use 'ad' provider in SSSD.
For example, would I lose the features that FreeIPA gives me like
host-based access controls, sudo controls, central storage of ssh
Yes, you will lose all these features.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project