Welcome to Windows Security Tab world. ;)
As I said before:
from Windows machines because their UI calls into some DCE RPC APIs we
do not support on IPA side. They also try to call into Global Catalog
and the primary LDAP instances while expecting those to have AD LDAP
schema and DIT structure. IPA is not supporting those so no wonder
things fail.
Windows implementation is inconsistent with regards to the ways how user
search and resolving is done, for various reasons we can only guess
about.
See, for example, our talk at SambaXP'20:
https://talks.vda.li/talks/2020/sxp20-d2t2-1-bokovoy-blancrenaud-FreeIPA-Catalog.pdf
One last comment and two last question, before I put this AD-trust
adventure to sleep.
Comment: You really should implement Global Catalog support, and let AD
talk to IPA, even though I understand that the work is hard. But I would
assume that samba has it implemented already, and that samba-code base
could be reused for IPA? There has to be wealthy sponsors interested in
getting this to work..
Question 1.: You wrote something about Global Catalog in last year's
progress report on IPA-to-IPA trust, is it on the agenda when you
release an ipa-to-ipa-trust capable version? Or have you abandoned
implementing Global Catalog in IPA altogether ?
Question 2.: Getting more activity involved in IPA-development (at least
testing and feedback), where do we start?
--
Vennlig Hilsen
Jostein Fossheim
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
