Re: [Freeipa-users] Question on AD to freeipa sync
Exactly! That was the biggest advantage of Centrify/Likewise/rest, but hopefully with the latest set of RFEs I have submitted against sssd, it will no longer be any advantage. On 10/05/2011 10:18 PM, Steven Jones wrote: ...the biggest thing for me so far is the ease of use, which with our limited capability staff/useradmins has to be a god send. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Submitted RFEs #743503,#743505,#743505 and #743509 into RedHat bugzilla (I have no login to fedorahosted.org so I could not submit to upstream). Take them as a wish-list only and feel free to close them if they do not fit into the IPA roadmap. Thanks! Ondrej On 10/04/2011 04:47 PM, Stephen Gallagher wrote: These are all great ideas, Ondrej. Would you mind opening RFE bugs for them? You can file them upstream at https://fedorahosted.org/sssd or in Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component. On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote: Can you provide more information here? We DO have support for automatic detection based on DNS SRV records. Does a DC locator use some other mechanism? Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin. I have machine in Prague and I want it to join CONTOSO.COM. Now if I used: dns_discovery_domain = contoso.com sssd would try to connect to any DC in the domain - even the one in Dublin, completely ignoring sites. I have to use: dns_discovery_domain = Prague._sites.contoso.com To force it to use Prague DCs only. My understanding is, that the DC locator tries to communicate with DC's first to determine local site and remote DC's are only used if no valid/working DC can be found in the local site (Prague in this case). I'm not sure what you mean by this? Do you mean you don't want to have to specify ldap_schema = rfc2307bis and have it instead auto-detected? That's trickier than it sounds. well this is a really small one. I would say it would be perfectly sufficient to introduce something like: ldap_schema=msrfc2307bis which would be equivalent to: ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_schema = rfc2307bis also, the ldap bind mechanism negotiation could be potentially improved, now I have to explicitly specify ldap_sasl_mech = GSSAPI otherwise sssd tries to use SASL/EXTERNAL which fails when communicating to AD controllers. What features of the krb5 library do you mean? SSSD provides a locator plugin that manages several features of the krb5 library, including kinit and kpasswd. The thing is that not all Linux apps are using sssd so we have to remember to configure /etc/krb5.conf. too. When using Centrify, all I need to do is: # adjoin contoso.com ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM modules, eeeverything. If I wanted to use sssd for the same job I have to: 1. configure (manually) /etc/samba/smb.conf 2. net ads join (- just to get machine creds) 3. configure (manually) sssd.conf 4. configure (manually) PAM modules 5. configure (manually) krb5.conf I understand that much of this is probably not sssd duty, but it would be helpful to have some script around which would do the same job. __ The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 __ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
On 10/05/2011 04:02 AM, Ondrej Valousek wrote: Submitted RFEs #743503,#743505,#743505 and #743509 into RedHat bugzilla (I have no login to fedorahosted.org so I could not submit to upstream). Take them as a wish-list only and feel free to close them if they do not fit into the IPA roadmap. Thank you for taking time and doing this! Thanks! Ondrej On 10/04/2011 04:47 PM, Stephen Gallagher wrote: These are all great ideas, Ondrej. Would you mind opening RFE bugs for them? You can file them upstream at https://fedorahosted.org/sssd or in Red Hat Bugzilla https://bugzilla.redhat.com in the sssd component. On Tue, 2011-10-04 at 16:29 +0200, Ondrej Valousek wrote: Can you provide more information here? We DO have support for automatic detection based on DNS SRV records. Does a DC locator use some other mechanism? Example AD domain CONTOSO.COM used on 3 sites - Prague,Cork, Dublin. I have machine in Prague and I want it to join CONTOSO.COM. Now if I used: dns_discovery_domain = contoso.com sssd would try to connect to any DC in the domain - even the one in Dublin, completely ignoring sites. I have to use: dns_discovery_domain = Prague._sites.contoso.com To force it to use Prague DCs only. My understanding is, that the DC locator tries to communicate with DC's first to determine local site and remote DC's are only used if no valid/working DC can be found in the local site (Prague in this case). I'm not sure what you mean by this? Do you mean you don't want to have to specify ldap_schema = rfc2307bis and have it instead auto-detected? That's trickier than it sounds. well this is a really small one. I would say it would be perfectly sufficient to introduce something like: ldap_schema=msrfc2307bis which would be equivalent to: ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_schema = rfc2307bis also, the ldap bind mechanism negotiation could be potentially improved, now I have to explicitly specify ldap_sasl_mech = GSSAPI otherwise sssd tries to use SASL/EXTERNAL which fails when communicating to AD controllers. What features of the krb5 library do you mean? SSSD provides a locator plugin that manages several features of the krb5 library, including kinit and kpasswd. The thing is that not all Linux apps are using sssd so we have to remember to configure /etc/krb5.conf. too. When using Centrify, all I need to do is: # adjoin contoso.com ..which takes care of everything - /etc/nsswitch.conf, krb5.conf, PAM modules, eeeverything. If I wanted to use sssd for the same job I have to: 1. configure (manually) /etc/samba/smb.conf 2. net ads join (- just to get machine creds) 3. configure (manually) sssd.conf 4. configure (manually) PAM modules 5. configure (manually) krb5.conf I understand that much of this is probably not sssd duty, but it would be helpful to have some script around which would do the same job. __ The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 __ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18
Re: [Freeipa-users] Question on AD to freeipa sync
I have ~50 servers and yes, we are using Centrify now - and yes, it is pain in the ass (need to take care of the licenses). But I have found out recently that sssd can do much of the Centrify's duty (authorization authentication) - well, it is not so polished, but it seems to work well. Ondrej On 10/03/2011 10:51 PM, Steven Jones wrote: I have 200+servers and 250 linux desktops and growing.cant manage those with local access with 1.5 adminsyou also cant manage them with AD unless you buy centrify/likewise or quest software or similar and thats very expensive and a pain in the ass. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
On Tue, 2011-10-04 at 09:32 +0200, Ondrej Valousek wrote: I have ~50 servers and yes, we are using Centrify now - and yes, it is pain in the ass (need to take care of the licenses). But I have found out recently that sssd can do much of the Centrify's duty (authorization authentication) - well, it is not so polished, but it seems to work well. As the lead SSSD developer, I can't help but chime in here and ask what polish you'd like to see :) RFEs and bugs can be filed upstream at https://fedorahosted.org/sssd (Requires a Fedora account, you can get one at https://admin.fedoraproject.org/accounts) signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Well, small things like sssd can not renew machine credentials / sssd can not detect local site automatically in AD domain (no DC locator implemented) / sssd can not detect/guess AD schema automatically / sssd won't configure the krb5 library for me. Support for group policies central management auditing (Centrify nicely fills the OperatingSystem attribute for me) would be also nice. Most of this is understandable as much of these requests are either AD-specific (hard to blame sssd here) or a RFE is already opened for such a functionality. Anyway, it is still a way better than the classic libnss_ldap.so. :-) Ondrej On 10/04/2011 02:09 PM, Stephen Gallagher wrote: As the lead SSSD developer, I can't help but chime in here and ask what polish you'd like to see:) The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Well, small things like sssd can not renew machine credentials Something like this is already registered as a bachelor's thesis and it should be done by the end of May. If you have any special requests or you want to know some details, write me a private email, I consult with the student on a regular basis. Jan / sssd can not detect local site automatically in AD domain (no DC locator implemented) / sssd can not detect/guess AD schema automatically / sssd won't configure the krb5 library for me. Support for group policies central management auditing (Centrify nicely fills the OperatingSystem attribute for me) would be also nice. Most of this is understandable as much of these requests are either AD-specific (hard to blame sssd here) or a RFE is already opened for such a functionality. Anyway, it is still a way better than the classic libnss_ldap.so. :-) Ondrej On 10/04/2011 02:09 PM, Stephen Gallagher wrote: As the lead SSSD developer, I can't help but chime in here and ask what polish you'd like to see:) The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
On Tue, 2011-10-04 at 14:53 +0200, Ondrej Valousek wrote: Well, small things like sssd can not renew machine credentials / As Jan said, this is being looked into. sssd can not detect local site automatically in AD domain (no DC locator implemented) / Can you provide more information here? We DO have support for automatic detection based on DNS SRV records. Does a DC locator use some other mechanism? sssd can not detect/guess AD schema automatically I'm not sure what you mean by this? Do you mean you don't want to have to specify ldap_schema = rfc2307bis and have it instead auto-detected? That's trickier than it sounds. / sssd won't configure the krb5 library for me. What features of the krb5 library do you mean? SSSD provides a locator plugin that manages several features of the krb5 library, including kinit and kpasswd. Support for group policies central management auditing (Centrify nicely fills the OperatingSystem attribute for me) would be also nice. These are on our long-term roadmap. Most of this is understandable as much of these requests are either AD-specific (hard to blame sssd here) or a RFE is already opened for such a functionality. Anyway, it is still a way better than the classic libnss_ldap.so. :-) That is certainly our goal :) signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
On Tue, 2011-10-04 at 14:53 +0200, Ondrej Valousek wrote: Well, small things like sssd can not renew machine credentials / As Jan said, this is being looked into. sssd can not detect local site automatically in AD domain (no DC locator implemented) / Can you provide more information here? We DO have support for automatic detection based on DNS SRV records. Does a DC locator use some other mechanism? sssd can not detect/guess AD schema automatically I'm not sure what you mean by this? Do you mean you don't want to have to specify ldap_schema = rfc2307bis and have it instead auto-detected? That's trickier than it sounds. / sssd won't configure the krb5 library for me. What features of the krb5 library do you mean? SSSD provides a locator plugin that manages several features of the krb5 library, including kinit and kpasswd. Also some more are already scheduled for 1.8 release. See tickets 997-1001 Support for group policies central management auditing (Centrify nicely fills the OperatingSystem attribute for me) would be also nice. These are on our long-term roadmap. Most of this is understandable as much of these requests are either AD-specific (hard to blame sssd here) or a RFE is already opened for such a functionality. Anyway, it is still a way better than the classic libnss_ldap.so. :-) That is certainly our goal :) -- Thank you Jan Zeleny Red Hat Software Engineer Brno, Czech Republic signature.asc Description: This is a digitally signed message part. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
On Tue, 2011-10-04 at 09:43 -0400, Stephen Gallagher wrote: sssd can not detect local site automatically in AD domain (no DC locator implemented) / Can you provide more information here? We DO have support for automatic detection based on DNS SRV records. Does a DC locator use some other mechanism? Windows domains list all servers in SRV records, but they have a deeper concept called sites, where admins can tell which subset of controllers a client should use (local to them). In order to discover the right site you need to do additoinal CLDAP queries to AD at startup time to find out what is the site to use and then you can query site-specific DNS entries to find the list of DCs. This is more complex than what we have in current SSSD and is implemented in Samba's Winbind for example. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Just wondering why would anyone want to sync freeIPA and AD - both can serve Linux systems fine, so if I already have AD, I no longer require IPA. My 2 cents... Ondrej On 09/29/2011 10:35 PM, Steven Jones wrote: Hi, In the documentation it says that new accounts in AD are syncd over to freeIPA, so IPA sets the UID as it arrives? What happens if the user is an existing one and has a UID they want to retain, does that transfer over and get used? Also how do you set permissions and groups? does the new user just go into a default group and then you login to freeIPA and set them up? or can you put the GIDs into AD and they get transferred and the user put into the right groups automagically? Looks like I can set this sort of thing how I want in the sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
On Mon, Oct 03, 2011 at 10:03:12AM +0200, Ondrej Valousek wrote: Just wondering why would anyone want to sync freeIPA and AD - both can serve Linux systems fine, so if I already have AD, I no longer require IPA. - the error messages of an AD might be strange to deal with for unix/linux admins - While I expect Microsoft to test AD patches with Windows clients I do not expect them to test linux/unix clients. Resulting in possi- bility that patches of the AD break the communication to linux/unix clients. - Having important infrastructure like idendification/directory services running on OpenSource software is a good thing, apply all the OpenSource advantages here like beeing able to audit the code etc. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Well, I think these advantages won't outweigh the extra complexity of having two systems for the same thing. But it is up to everyone's decision... Ondrej - the error messages of an AD might be strange to deal with for unix/linux admins - While I expect Microsoft to test AD patches with Windows clients I do not expect them to test linux/unix clients. Resulting in possi- bility that patches of the AD break the communication to linux/unix clients. - Having important infrastructure like idendification/directory services running on OpenSource software is a good thing, apply all the OpenSource advantages here like beeing able to audit the code etc. Christian The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
On Mon, 2011-10-03 at 10:03 +0200, Ondrej Valousek wrote: Just wondering why would anyone want to sync freeIPA and AD - both can serve Linux systems fine, so if I already have AD, I no longer require IPA. My 2 cents... AD can serve Linux systems with a very limited definition of fine. All support in Active Directory for POSIX compliance is an afterthought to Microsoft. It exists solely to try and migrate customers from UNIX to Windows, and really isn't designed for the purpose. One of the major problems with using AD for Linux support is that it violates the LDAP and Kerberos standards in several key places, meaning that the experience on Linux is significantly degraded from that of Windows machines. For example, in order to support very large group memberships (1000 members), Active Directory requires the use of a special LDAP control to retrieve the members list a page at a time in several LDAP communications. The way it does this is expressly violating the LDAP protocol standard, which means that without rewriting all clients on Linux to break the standard in the same way, Linux and UNIX machines are capable of only seeing the first thousand members of a group. Another problem with Active Directory is its limited support for LDAP authentication. AD expects that all of its clients are Windows machines, and therefore capable of using Kerberos and/or NTLM for all authentication. However, some applications (especially Linux-powered web applications) can only authenticate using LDAP simple bind authentication. While AD does have some support for this, LDAP auth breaks completely in the case of expired users (it has no support for a password-change grace period with LDAP authentication). Yet further, in many environments, there are two very different organizations in the IT departments: one group that manages Windows systems and one that manages Linux/UNIX systems. By having FreeIPA be capable of acting as a bridge between the two (either by the current mechanism of user-syncing or by the forthcoming FreeIPA v3 mechanism of Kerberos trusted realms), it allows IT departments to continue to hire staff that knows one system well. It's very hard to find people with a deep knowledge of both systems; people tend to specialize. It's much better to let your Linux admins work on the Linux machines, rather than trying to force your MCSEs to learn the intricacies of a LAMP setup. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question on AD to freeipa sync
Ondrej, it depends on your company structure, complexity and goals and flexibility. If you join your Linux machines to an AD directory then you are tied very strictly, administratively and functionally to that directory. Given Windows Administration and Linux Administration are very diverse skills set, and very few admins are capable of doing both with maximum proficiency on both system we think that splitting your support organization between the Windows admin and Linux admins is a good thing. Each group can concentrate on its own tasks w/o too much interference and less need for coordinating. Also FreeIPA is targeted at serving Linux machines and has integrated HBAC, Sudo support and other goodies that are simply missing in the AD side as they are alien concepts in the Windows world. Of course small organization were a single admin group controlling both platfroms may decide having just one directory is the way to go. You have the freedom to choose. Simo. On Mon, 2011-10-03 at 12:45 +0200, Ondrej Valousek wrote: Well, I think these advantages won't outweigh the extra complexity of having two systems for the same thing. But it is up to everyone's decision... Ondrej - the error messages of an AD might be strange to deal with for unix/linux admins - While I expect Microsoft to test AD patches with Windows clients I do not expect them to test linux/unix clients. Resulting in possi- bility that patches of the AD break the communication to linux/unix clients. - Having important infrastructure like idendification/directory services running on OpenSource software is a good thing, apply all the OpenSource advantages here like beeing able to audit the code etc. Christian __ The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 __ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Question on AD to freeipa sync
Hi, In the documentation it says that new accounts in AD are syncd over to freeIPA, so IPA sets the UID as it arrives? What happens if the user is an existing one and has a UID they want to retain, does that transfer over and get used? Also how do you set permissions and groups? does the new user just go into a default group and then you login to freeIPA and set them up? or can you put the GIDs into AD and they get transferred and the user put into the right groups automagically? Looks like I can set this sort of thing how I want in the sync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users