Thanks! For the use case where IPA, and not AD, is the authoritative
source it's actually working out very well if we can solve this last
issue. With regard to the work in 4.4, from what I've read about it, I
am not 100% sure it will work. In this case the "alternate principal"
is a cross-domain
On Thu, 26 May 2016, John Meyers wrote:
Alexander,
I use both trust AND synchronization. Our IPA is authoritative. We add
the "ntUser" objectclass and related attributes and 389ds automatically
creates a corresponding AD account and password changes are likewise
propagated. This is necessary
Alexander,
I use both trust AND synchronization. Our IPA is authoritative. We add
the "ntUser" objectclass and related attributes and 389ds automatically
creates a corresponding AD account and password changes are likewise
propagated. This is necessary since FreeIPA can not act as a Global
Cata
On Thu, 26 May 2016, John Meyers wrote:
All,
I have two-way trust established between IPA.DOMAIN.COM and
AD.DOMAIN.COM. The users are sync'ed via a replication agreement and
password sync so u...@ipa.domain.com is the same person as
u...@ad.domain.com.
Trust doesn't use synchronization. Your A
All,
I have two-way trust established between IPA.DOMAIN.COM and
AD.DOMAIN.COM. The users are sync'ed via a replication agreement and
password sync so u...@ipa.domain.com is the same person as
u...@ad.domain.com.
With "KrbLocalUserMapping On" in the Apache config, everything works
great for user
