On to, 04 marras 2021, Cyrus via FreeIPA-users wrote:
Well, now that you mention it, I wonder what happens with the POSIX
information for the user in the case of crediting all of them in Samba4.
Shell, UID, HOME, ssh public key, itt seems I would need to extend the
schema on that side. Would those parameters be recognized by machines
joined to FreeIPA realm?
You can define them in ID overrides on IPA side. If you'd chose
algorithmic ID range (default), then SSSD would automatically assign
UID/GID values anyway, so the only things left to be assigned in the ID
overrides would be shell, home (if the default of /home/domain/user is
not enough), and SSH keys.
With this you don't need to extend Samba AD schema with POSIX attributes
at all.
Regards,
CI.-
On Wed, Nov 3, 2021, 12:18 Harry G. Coin via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
I've had that challenge as well, with users who are not assigned one
system but might freely move among proprietary and open source os systems,
along with the need to isolate all admin functions for both Windows and
Linux sides within one UI (freeipa in this case). It's quite a ride. It
works but the details needed to get high availability/failover would fill a
book. You have to add ipaNTHash ipaNTSecurityIdentifier permissions,
puzzle through ctdb, customize 'registry' values on the linux servers,
align domain and machine SIDs, and then puzzle through the minefield of
supporting older and newer versions of Windows on the same net. Buckle up!
On 11/3/21 5:47 AM, Cyrus via FreeIPA-users wrote:
Good morning,
I'm in the need to implement an Identity service for a mixed environment
with Windows workstations & Linux systems with a common set of users.
Would it be possible to implement Samba4 for the MS Windows realm and
FreeIPA for the linux machines (where I expect to make use of HBAC &
sudoers support)?.
Would make sense to have all the users in Samba4 or the other way around
(all users in FreeIPA).
Any advice would be appreciated.
Regards,
CI.-
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
