On ti, 18 loka 2016, Brian Candler wrote:
On 17/10/2016 15:52, Alexander Bokovoy wrote:
If you set ID range for corresponding AD domain in IPA to be
'ipa-ad-trust-posix' and make sure all users that need to logon to IPA
have POSIX attributes, then it should work.

I think most of this is described in the Windows Integration Guide for

Thank you.

Final question. Suppose I use just the ipa-client package with sssd-ad pointing to Samba4 (or even real Windows AD). Is that likely to be a satisfactory solution for managing the *nix boxes, or would I be better of with two separate domains?
No, it is wrong to use this mode. If you made a Linux machine a client
to IPA, it will be set up to use 'ipa' provider in SSSD and that should
support all needed functionality. You don't need to change anything in
the configuration.

Remember, I pointed you to sssd-ad manual page only to make sure you
would read about ID mapping because this is the place in SSSD
documentation which explains what happens there. I did not ask you to
change IPA client setup to use 'ad' provider in SSSD.

For example, would I lose the features that FreeIPA gives me like host-based access controls, sudo controls, central storage of ssh public keys?
Yes, you will lose all these features.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to