On 07/20/2015 07:02 AM, Email wrote:
Hi Rich, thanks for the reply. Here is the link I working with
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory-trust.html
I'm looking at both options, the cross forest trust and winsync. For
my project FreeIPA needs to be authoritative wherever possible. Users
need one domain account that works on Linux and Windows. Why would
trusts be a better solution that winsync? Thanks for your help.
Please keep replies on-list.
In general, any time you don't have to copy information around, and
ensure that it is in sync, and remains in sync, that is a better
solution. Trusts does not copy/sync information, so in general it is
preferred.
In your case, it seems that you want FreeIPA to be the authoritative
source of information? And you want to create new users/groups in
FreeIPA, and use that information in the AD/Windows environment? Is
that correct?
Tony
On Wednesday, July 15, 2015, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
On 07/15/2015 09:42 AM, Email wrote:
Hi everyone, my name is Tony and this is my first post, so it's
nice to meet all of you. I've been tasked with creating an AD and
FreeIPA environment, and I'm looking into the sync between the
two. It looks like creating a user in AD causes that user to be
created in IPA, but not the other way around. But if I create
them in IPA they will not be auto created in AD. I'm wondering
why this is.
This is intentional. If you are using FreeIPA and windows sync,
it is assumed you want AD to be the provisioning system for new
users, and not FreeIPA.
I would seriously consider using trusts instead of windows sync.
See section 8.1 of the fedora documentation as a reference.
Link please? We may need to clarify the language.
Thanks in advance!
~Tony
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project