[Freeipa-users] Winsync
Srdjan Dutina
sdutina at gmail.com
Tue Oct 27 17:33:48 UTC 2015
Hi Aleksander and Tomas, thanks for quick responses!
I find trust-based solution more advanced but also more complicated - two
sites, one with FreeIPA and other with AD domain, limited communication
from FreeIPA to AD site, FreeIPA not aware of AD sites, questionable use of
RODCs and Kerberos which heavily depends on DNS. Acceptable solution would
be public key login for my AD users but they are not able to log in to Free
IPA web UI to update their SSH keys.
So Winsync seems like simpler solution here.
Regards,
Srdjan.
On Tue, Oct 27, 2015 at 6:20 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Tue, 27 Oct 2015, Tomas Babej wrote:
>
>>
>>
>> On 10/27/2015 05:51 PM, Srdjan Dutina wrote:
>>
>>> Hi!
>>>
>>>
>> Hello Srdjan,
>>
>> Is syncing (winsync) users and passwords from MS Active Directory
>>> deprecated in FreeIPA 4.x?
>>> If not, is there some documentation on how to use it?
>>>
>>>
>> Winsync synchronization is not deprecated as of now, but we are trying
>> to move away from it in favor of the trust-based solution. I would
>> certainly encourage you to try that before using winsync.
>>
> Documentation is in the 'Windows Integration Guide':
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html
>
> Chapter 7 covers winsync.
>
> Additionaly, when using FreeIPA - AD trust, is it possible for user from
>>> trusted domain to log on to FreeIPA web UI?
>>>
>>
>> Yes.
>>
> No. AD users cannot login to web UI. We are planning to add this
> possibility in FreeIPA 4.4 or around that time, to allow AD users to
> manage parts of their ID overrides.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151027/ad65053e/attachment.htm>
More information about the Freeipa-users
mailing list