Thanks to great tips and pointers from people on this list (h/t Alexander B) I was able to build an IPA master + replica setup that can recognize and allow logins from users coming from multiple disconnected AD Forests with 1-way trusts to the IPA servers

Sanitized view of our AWS footprint:

AD Servers & IPA:
AD Forest #1:
AD Forest #2:
AD Forest #3:
IPA Domain/Realm: (successful 1-way trusts to and etc.)

With basic recognition of users and working SSH logins based on AD username and passwords I'm moving on to trying to use the far more interesting IPA/IDM features.

Using user accounts defined locally on the IPA server I'm having a blast uploading SSH keys and creating sudo rules and groups. So the natural next question is "can we do this for users who exist only in remote AD controllers?

IPA is doing 100% of the UID/GID/Posix stuff management - we are only pulling usernames & groups from AD and checking passwords against the AD servers.

The basic question -- is it possible for me to get to "hybrid linux user management" nirvana whereby IPA/IDM manages everything about AD users except for their username and passwords?

Tried to find this in the official documentation but it dives instantly into deep topics about user data mapping, custom schemas and dealing with POSIX data served up by the AD controllers. Hard to figure out the boundary between what IPA can support with local user accounts vs what it can do when the users exist in remote AD forests.

Any URLs or documentation pointers would be appreciated


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to