Hello everyone,
I'm about to deploy a fresh IPA domain that needs to integrate with Active
Directory. In my lab environment I've setup a trust with AD and the following
items are driving me away from using the trust:
- Users can't login to a Linux box using just "username" ([email protected] is
used)
- Since AD trust users don't show up in FreeIPA web UI users can't login to
manage their own SSH keys
- User/group management in general becomes largely a command-line operation
(such as mapping groups so they can be used in HBAC and sudo rules)
First, if any of the above is incorrect or there are workarounds I am very much
open to discussion.
I'm considering using WinSync+PassSync so that users and groups appear as
"real" IPA objects to be managed normally. Given that an entire tool has been
written to migrate away from WinSync to AD trusts and language in the RH
documentation suggesting to only use WinSync if you have to I'm wondering what
issues I'm not considering and if I could be leading toward a world of hurt.
Guidance in this area is appreciated.
Thanks,
j
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
