[Freeipa-users] a user delegated to control a OU and realmd join - how..
Simo Sorce
simo at redhat.com
Tue May 17 13:19:27 UTC 2016
On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but is
> > > such a
> > > way so I tap my IPA into specific OU within that AD.
> >
> > I'm not exactly sure what you mean here. Do you want to join a
> > computer
> > which is already a client in an IPA domain to AD as well? If this is
> > the
> > case I would recommend to consider the IPA trust feature. Joining 2
> > domain is in general possible with SSSD but has to be done with very
> > great care, e.g. by using different keytabs for each domain.
> Can IPA domain establish a trust between win AD if IPA admin only has
> admin control over an OU in win AD ?
No, you need to be a Domain Admin with full privileges.
> I know very little about AD and only started with IPA - I don't suppose
> control of OU delegated to a user makes that user AD admin.
It doesn't.
> I guess what I'm thinking, asking, is - what would be the correct
> possible way to plug in, connect IPA domain to win AD when one has
> admin control only over a OU in win AD?
Not sure you can even do sync, there isn't really much you can do with
those privileges, you are basically just allowed to administer a
"group".
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list