On pe, 22 loka 2021, Yehuda Katz wrote:
Not worried about Windows 10 Home. All the machines have Pro. I also
have
no issues running real Windows Server domain controllers.
I do want to be able to use policy features in IPA like HBAC, sudo rules,
etc. Will a trust without synced local users cause any issues with that?
It will work just fine -- follow RHEL IdM documentation on this.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Fri, Oct 22, 2021, 12:42 AM Jonathan Aquilina <jaquilina(a)eagleeyet.net>
wrote:
> Hi Guys,
>
> Long time lurker. I can confirm in order to join an AD domain you need at
> least win 10 Pro
>
> The below using Samba isn’t a bad idea in all fairness. The question
> becomes though how would you join an windows 10 home machine to the samba
> AD controller?
>
> Regards,
> Jonathan
>
> -----Original Message-----
> From: Alexander Bokovoy via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org>
> Sent: 22 October 2021 06:32
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Yehuda Katz <yehuda(a)ymkatz.net>; Alexander Bokovoy <
> abokovoy(a)redhat.com>
> Subject: [Freeipa-users] Re: Recommendations for completely new IPA and AD
>
> On to, 21 loka 2021, Yehuda Katz via FreeIPA-users wrote:
> >I was asked to set up a completely new network for a non-profit. They
> >have a mix of Windows and Linux (mostly Ubuntu) machines. Until now I
> >have only used FreeIPA (or RedHat IDM) in a standalone configuration.
> >Is there any kind of best practices documentation for this situation? A
> >discussion of a sync vs. trust approach? Any known gotchas?
>
> Things to consider:
> - Windows machines cannot be enrolled into FreeIPA, they have to be
> enrolled into Active Directory
>
> - If users are all on Active Directory side, they can login to
> FreeIPA-enrolled machines through trust to Active Directory
>
> - While winsync plugin allows to synchronize users from Active
> Directory side to FreeIPA (they become FreeIPA users), this is of
> limited functionality and in general not going to live well in future
> as we consider deprecating this approach
>
> It used to be that non-Pro versions of Windows weren't possible to join to
> Active Directory. I'd rather checked what is in use before planning it.
>
> For a non-profit it is probably worth to consider deploying Samba AD as
> your Active Directory configuration.
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://link.edgepilot.com/s/353e228f/dztk3XYEi0aFWaiQj6NYgQ?u=https://do...
> List Guidelines:
>
https://link.edgepilot.com/s/5d76def5/Td4UrtlZ6EOnNh9n6-3LKQ?u=https://fe...
> List Archives:
>
https://link.edgepilot.com/s/272b5696/8xmEHAzD_kibpiI-63hpXQ?u=https://li...
> Do not reply to spam on the list, report it:
>
https://link.edgepilot.com/s/0f57d6da/-ls6zhlc-0uuBKO_6RvycA?u=https://pa...
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland