On 02/25/2015 06:48 AM, Dmitri Pal wrote:
On 02/25/2015 07:44 AM, Janne Blomqvist wrote:
Hi,
is it possible to use winsync to sync stuff from AD without having to
create domain trusts, or install some kind of sync services on the AD
DC's?
For some background, we want to fetch user/group info and
authenticate against AD (managed by another department), but we also
have a need to have some own users/groups on top of the AD ones. So
the initial plan would be something like
A1. We join a machine to the AD domain, so we can fetch information
from AD via getent or ldapsearch.
A2. Scripts are written to fetch data from AD on the machine in (1)
above, merge and push this user/group data into freeIPA. These
scripts run periodically via cron.
Clients are configured roughly per the following:
B1. sssd on clients is configured to fetch user/group data from freeIPA.
B2. pam_krb5 in client machines is configured to authenticate against
AD.
B3. pam_ldap (or pam_sss, if its use of kerberos doesn't conflict
with the configuration for connecting to AD used by pam_krb5?) in
client machines is configured to authenticate against freeIPA, for
those users who don't have accounts in AD.
Yes, I can see this being a lot simpler if we could get a cross
domain trust going on between AD and our freeIPA servers or even just
the winsync services running on the DC's, but organizational politics
being what they are, this isn't happening. :(
So my questions are
- Can the freeIPA winsync tool bend to providing A2 above, or do we
have to do it ourselves?
- As this setups is weird and non-standard, will using freeIPA
actually help us here, or would life be easier by just using 389 or
openldap directly? In essence, our main usage of freeIPA would be to
provide management tools for those users/groups which are not synced
from AD.
- With the constraints above that we have to live with, is there a
better way to accomplish this?
- Does the thing in B3 work? I.e. can I have pam_krb5 with config in
/etc/krb5.conf for connecting to AD, then pam_sss with sssd.conf
using the ipa or krb5 auth provider pointing to our freeIPA server(s).
Thanks,
You can use SSSD and define two domains one for AD and one for IPA.
You join machine to IPA to at least take advantage of what it provides
for objects you manage but use AD as a second domain in SSSD
configuration.
You do not need to sync anything or use pam_krb5/pam_ldap. So no scripts.
You can also decide to join the machine into AD instead but I do not
see any benefits from doing it.
The only price in this setup is that one of the domains (the second
one) would have to use fully qualified user names to log into the system.
+1
If however you still want to do something with scripts and the Windows
AD DirSync control with polling, see
https://github.com/richm/scripts/blob/master/dirsyncctrl.py
HTH
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project