On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote: > Greetings! > > Yes, I had been hoping there would be a way to incorporate domain > trusts between Active Directory and FreeIPA while the clients relying > on these for identity management shared the same DNS domain (eg. > linux.company.com and windows.company.com). It sounds like that isn't > going to happen.
These are two different domains, as long as linuc.company.com is used only by freeIPA this configuration is already supported via trust relationship. > Account replication seems like another way for Active Directory > users to be able to login to servers to use the same username/password > for logging in. It wouldn't have SSO, but at least a user would be > able to use the same username/password everywhere. Replicating user > accounts from an external AD/LDAP server seems to be built-in, at the > moment. There aren't any plans to take that away, is there? Ideally, > I'd want a two way sync so that password changes and user group > changes are replicated back to AD as well. winsync is not being further developed but we have no plans to take it away. Simo. > --David Alston > > -----Original Message----- > From: Simo Sorce [mailto:[email protected]] > Sent: Friday, July 22, 2016 10:49 AM > To: Alston, David > Cc: [email protected] > Subject: Re: [Freeipa-users] Replicating users/groups from AD > > On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: > > Greetings! > > > > > > I realize that FreeIPA is supposed to be setup as master of its > > > own domain, but are there any plans to continue the account > > > replication functionality that has already been in FreeIPA? I had > > > heard rumor that it would be possible to have FreeIPA and Active > > > Directory coexist in the same domain in some release in the future. > > > Am I waiting for a feature that will never come? > > > Hi David, > in order to respond to your question an idea of what are your expectations > would is needed. > > If by Domain you mean "AD Domain or Kerberos Realm", the answer is no, they > will never coexists. > > If by Domain you mean DNS Domain read then FreeIPA can work in the same > domain as AD but only if you do not care for them interacting (at the > kerberos level, no trusts, no SSO). > You can basically have only one association between a DNS domain and a Realm, > and a DNS domain is either going to be associated to the AD Domain server or > to the IPA Domain. > > Synchronization, however is a completely unrelated topic, and I can't give > you an answer on that side as I do not understand how it would > relate to the coexistence of FreeIPA and AD in a single DNS domain. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
