Hello everyone,

I'm about to deploy a fresh IPA domain that needs to integrate with Active 
Directory.  In my lab environment I've setup a trust with AD and the following 
items are driving me away from using the trust:

    - Users can't login to a Linux box using just "username" (user@ad.domain is 
    - Since AD trust users don't show up in FreeIPA web UI users can't login to 
manage their own SSH keys
    - User/group management in general becomes largely a command-line operation 
(such as mapping groups so they can be used in HBAC and sudo rules)

First, if any of the above is incorrect or there are workarounds I am very much 
open to discussion.

I'm considering using WinSync+PassSync so that users and groups appear as 
"real" IPA objects to be managed normally.  Given that an entire tool has been 
written to migrate away from WinSync to AD trusts and language in the RH 
documentation suggesting to only use WinSync if you have to I'm wondering what 
issues I'm not considering and if I could be leading toward a world of hurt.

Guidance in this area is appreciated.



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to