Hi,

I am looking into migrating an existing deployment of LDAP with hundreds of users and hundreds of groups into a IPA solution with trust against AD. All users currently exists with the same names in AD but groups does not, one solution would be adding all those groups to AD with gidNumber set to only administer the users and groups in AD. External groups seems to be the solution, but that would require external groups created in the IPA, I would like to avoid that and have tested with groups only in AD with gidNumber set and it seems to work, I can at least see the group and SUDO rules works with the group.

So my question is, can you use groups in AD without referencing them in IPA and any please throw in any other suggestions for trying to have all data in active directory without having to change anything in the IPA when adding users or groups (or host/netgroups for that matter)

Thanks

Henrik