Hi! There are two ways that you can use to integrate FreeIPA with AD: a.) trust b.) synchronization Here are the pros/cons for both of them: http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync
If you want to manage POSIX attributes for each user can do that with either identity management for Unix at AD using the trust, or with the synchronzation at FreeIPA. With synchronization you see the users to in FreeIPA, but still have to two users to manage - in FreeIPA and AD. With the AD trust the sssd daemon running on FreeIPA is proxying all request from the client sssd directly to AD, so you see no users in FreeIPA, but you have to extend the AD schema using Identity Management for unix. Also the password policy from the group policy in AD is used when you use the AD trust, but on clients with sssd you can change the password using kpasswd from Kerberos. If you want to use a trust with AD and want to receive the correct GID set in AD then you have to use sssd >1.9.x, otherwise you get a different GID (see https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html) All other stuff such as HBAC etc. can be centrally managed on FreeIPA, no matter if you use a trust or synchronzation. Gregor 2014-09-13 22:03 GMT+02:00 Traiano Welcome <trai...@gmail.com>: > Hi List > > Currently I have a stable trust relationship going between IPA and Windows > AD. I create users and manage passwords in AD, but want to manage the rest > in IPA, "the rest" being default shell, default home directory settings, > RBAC, HBAC, Selinux etc .. > > What I'm expecting it to be able to log into the FreeIPA web interface, and > see a synched list of users created in AD appear in the interface, after > which I can modify the settings on a per user basis. > > If that level of granularity is not possible, I would then expect to be able > to at least apply an IPA-imposed set of account defaults on and AD user > group: > > - default shell > - HBAC rules > - Sudo rules > - SELinux rules > - RBAC > > Is this possible with FreeIPA? I can't find anything coherent in the > documentation that describes an effective way of managing the POSIX > attributes of AD users in FreeIPA. > > Thanks in advance! > Traiano > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project