On 03/04/2015 04:57 AM, Hugh wrote: > All, > > We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS 6.5 > and synching to AD. We're able to synch users, but can't synch groups. > When I was adding in the ntGroup objectclass, it appears that that > requires ntUserDomainId to be set. Shouldn't that be ntGroupDomainId? I > tried to add ntGroupDomainId, but that attribute doesn't seem to be > allowed by any objectclasses. I did a grep on the /etc/dirsrv directory > and can see ntGroupDomainId in the attribute list, but not in any of the > objectclasses. What attributes/objectclasses are required for synching > to AD?
Hello Hugh, Before you dive in further in the FreeIPA winsync and groups, please note that FreeIPA does not support group sync from/to AD and there are no plans for adding that capability. We are focusing on AD Trusts instead, as *the* way for cooperation with AD. This is related upstream ticket with similar request, just different direction: https://fedorahosted.org/freeipa/ticket/3946 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
