On 25.7.2016 15:30, Simo Sorce wrote: > On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote: >> Greetings! >> >> Yes, I had been hoping there would be a way to incorporate domain >> trusts between Active Directory and FreeIPA while the clients relying >> on these for identity management shared the same DNS domain (eg. >> linux.company.com and windows.company.com). It sounds like that isn't >> going to happen. > > These are two different domains, as long as linuc.company.com is used > only by freeIPA this configuration is already supported via trust > relationship.
Let me add that there are workarounds for other cases as well: http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ Petr^2 Spacek > >> Account replication seems like another way for Active Directory >> users to be able to login to servers to use the same username/password >> for logging in. It wouldn't have SSO, but at least a user would be >> able to use the same username/password everywhere. Replicating user >> accounts from an external AD/LDAP server seems to be built-in, at the >> moment. There aren't any plans to take that away, is there? Ideally, >> I'd want a two way sync so that password changes and user group >> changes are replicated back to AD as well. > > winsync is not being further developed but we have no plans to take it > away. > > Simo. > >> --David Alston >> >> -----Original Message----- >> From: Simo Sorce [mailto:s...@redhat.com] >> Sent: Friday, July 22, 2016 10:49 AM >> To: Alston, David >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Replicating users/groups from AD >> >> On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: >>> Greetings! >> >>> >> >>> I realize that FreeIPA is supposed to be setup as master of its >> >>> own domain, but are there any plans to continue the account >> >>> replication functionality that has already been in FreeIPA? I had >> >>> heard rumor that it would be possible to have FreeIPA and Active >> >>> Directory coexist in the same domain in some release in the future. >> >>> Am I waiting for a feature that will never come? >> >> >> Hi David, >> in order to respond to your question an idea of what are your expectations >> would is needed. >> >> If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they >> will never coexists. >> >> If by Domain you mean DNS Domain read then FreeIPA can work in the same >> domain as AD but only if you do not care for them interacting (at the >> kerberos level, no trusts, no SSO). >> You can basically have only one association between a DNS domain and a >> Realm, and a DNS domain is either going to be associated to the AD Domain >> server or to the IPA Domain. >> >> Synchronization, however is a completely unrelated topic, and I can't give >> you an answer on that side as I do not understand how it would >> relate to the coexistence of FreeIPA and AD in a single DNS domain. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
