On 06/20/2013 05:35 PM, Brian Wheeler wrote: > Hello! > > So here's the situation I'm in. The university has its AD domain > locked down pretty tight -- getting a trust is out of the question, > creating new users isn't allowed, and they seem to have no interest in > supporting linux management. > > I'd like to be able to leverage the AD kerberos server but manage > users locally. > > So here's what I'm thinking about doing: putting my site users/groups > and copies of the relevant AD users into IPA. The site users would > have UIDs > 1 billion and the users from AD would have whatever > unixuid attribute they have (only the uid is stored in AD -- they > didn't do a full posix setup). The IDs will not conflict with each > other, so I'm set there. > > I'd have two entries in sssd.conf: one entry would have a min/max id > matching the AD users and the other would be 1 billion+ to match the > local users/groups. The AD range would use the university's AD > kerberos for authentication and IPA for everything else. The other > would use IPA normally. > > I was able to get this working successfully when setting up 389 > manually by using two nearly identical configs in sssd and making the > AD one resolve first, but I can't seem to figure out the magic chant > for making it work with IPA. > > So, is something like this even possible? Is there a better way to be > able to use IPA and stay out of the password business for the real > users of my system? If it comes down to it, I'll manually set up 389 > and do it the way I prototyped it, but I'd really like to have > something resembling a "standard" build. This is all on RHEL6. If a > newer version of IPA is required I'd be ok with installing it. > > Brian > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users
Was there any help provided here? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
