Hello! I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory (ad.angelsofclockwork.net) and put them into a two way trust with posix. I used these commands:
ipa-adtrust-install --enable-compat --add-agents ipa trust-add --type=ad ad.angelsofclockwork.net --admin lmabel --password --two-way=true --range-type=ipa-ad-trust-posix The users in AD have posix attributes assigned and those attributes are in the global catalog. My linux clients can see the AD users when I do a getent passwd u...@ad.angelsofclockwork.net. So this is working as intended. http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 - I used this guide to add our first mac to FreeIPA rather than AD. This guide worked for the most part, but I cannot get it to see the users across the trust boundary. I'm sure I'm either missing something or mac's open directory utility doesn't support trusts like we would think it should. [root@sani ~]# dscacheutil -q user -a name admin name: admin password: ******** uid: 931600000 gid: 931600000 dir: /Users/admin shell: /bin/bash gecos: Administrator [root@sani ~]# dscacheutil -q user -a name louis.abel [root@sani ~]# dscacheutil -q user -a name louis.a...@ad.angelsofclockwork.net Anyone have any suggestions? Or will I have to just connect my mac to AD and work with it that way? I was trying to avoid having to add to AD, but it seems like I'm going to have to go that route. Unless anyone has experience with getting it to work across trusts. From my research it seems others have tried to solve the 'trust' problem when there's two AD domains involved, not an IPA and AD domain. So it seems like a mac specific problem perhaps. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org