IPA is successfully installed, a one way trust created, and we have been able to login using AD credentials.
For future googler's, there is some bare bones documentation on how to allow AD users to login to your system, under the heading "Allow access for users from AD domain to protected resources" http://www.freeipa.org/page/Active_Directory_trust_setup#Configure_IPA_server_for_cross-realm_trusts I can confirm this works for a one directional trust (IPA trusts AD), since that is what we have. Question/Issue: Currently I have two logins, one in the AD domain and one on each server in the IPA domain. The desire is to close that gap. We were under the impression that, utilising idoverrideuser, that we could map AD's "Smith Jane"@example.org (or EXAMPLE\Jane Smith; yes I know our AD logins have spaces in them, it's a technical debt that has no solution roadmap within the org) to [email protected] (which we would set up in IPA), and be able to override certain aspects, like: - instead of using the clumsy ssh "Smith Jane"@[email protected] to login to a system, we could use: ssh [email protected] and that via the ID Views Default Trust View the IPA server would: - see that jsmith is "Smith Jane" in AD - authenticate against "Smith Jane"'s AD password - see that jsmith's uid now needs to be 1500 instead of 17890983 - see that jsmith's home should be /home/jsmith, creating this dir if it doesn't exist - see that jsmith's shell is /bin/bash Am I merely imagining that this is possible? My information came from various blog posts on the RH blog that suggested such a thing was possible, and this post on the FreeIPA site: http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views Given the above use case, can I please get advice on: - is there a preferred order in which IPA user ([email protected]) is created and AD user (EXAMPLE\Smith Jane) has their ID Views Default Trust View entry created? - for the creation of homedir on login, does this need to be done per host, via ipa-client-install's --mkhomedir option rather than per user? Have I missed something? Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
