On Fri, May 17, 2019 at 07:11:23PM +0300, Alexander Bokovoy wrote:
On pe, 17 touko 2019, Lars Seipel wrote:
>On Mon, May 13, 2019 at 01:06:10PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
>>You may try with versions in Fedora 30 (updates). It includes FreeIPA
>>4.7.90.pre1 which has some improvements in this area.
>
>Just to be sure: this is about AD users from a Samba-based domain
>accessing FreeIPA resources. The other way around (i.e. IPA users
>logging into Windows systems) is not expected to work, right?
Correct.
>AFAICT, it still hinges on the availability of a Global Catalog
>implementation on the IPA side. Correct?
Correct.
>Is your 2017 SambaXP talk[1] still an accurate description of what
>would need to happen to make this work?
Yes. I have some progress since that time in a bit of obscure areas
around domain membership on IPA clients. Some of that work showed that
in some cases it is possible to resolve IPA users' SIDs to names without
global catalog too. I'm intending to look into that after landing domain
member work soon.
Cool, thanks!
Lars