On 17/10/2016 15:06, Alexander Bokovoy wrote:
Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come from.
This works for Samba AD > 4.4. The code in Samba that supports forest
trust is a bit new (and was written by Red Hat's request) so depending
on what version you are using your experience will vary.

IPA supports different methods for mapping IDs, including algorithmic
ones. We default to algorithmic ID range if existing POSIX IDs aren't
found.

See ID MAPPING section in sssd-ad man page for details. You don't need
to configure anything in SSSD, though, because it is done automatically
based on the ID ranges in IPA.

OK, but let me just see if I can clarify. Given the following scenario:

SAMBA . . . . . . FREEIPA
  |                  |
USER               SERVER

The server isn't joined directly to the Samba domain, but the manpage for sssd-ad says "This provider requires that the machine be joined to the AD domain".

So is it true that:

1. The server is not configured to use sssd-ad? Does it automatically use this module if, because of trust relationships, a user from the Samba domain logs into it? Would it need configuration, or does it pick up everything it needs from the DNS?

2. If I create the posix uids/gids as extra attributes in the Samba domain, the algorithmic ID mapping isn't required?

Thanks,

Brian.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to