11:36 a.m.
Hello!
I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory
(ad.angelsofclockwork.net) and put them into a two way trust with posix. I used these
commands:
ipa-adtrust-install --enable-compat --add-agents
ipa trust-add --type=ad ad.angelsofclockwork.net --admin lmabel --password --two-way=true
--range-type=ipa-ad-trust-posix
The users in AD have posix attributes assigned and those attributes are in the global
catalog. My linux clients can see the AD users when I do a getent passwd
user(a)ad.angelsofclockwork.net. So this is working as intended.
http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 - I used this
guide to add our first mac to FreeIPA rather than AD. This guide worked for the most part,
but I cannot get it to see the users across the trust boundary. I'm sure I'm
either missing something or mac's open directory utility doesn't support trusts
like we would think it should.
[root@sani ~]# dscacheutil -q user -a name admin
name: admin
password: ********
uid: 931600000
gid: 931600000
dir: /Users/admin
shell: /bin/bash
gecos: Administrator
[root@sani ~]# dscacheutil -q user -a name louis.abel
[root@sani ~]# dscacheutil -q user -a name louis.abel(a)ad.angelsofclockwork.net
Anyone have any suggestions? Or will I have to just connect my mac to AD and work with it
that way? I was trying to avoid having to add to AD, but it seems like I'm going to
have to go that route. Unless anyone has experience with getting it to work across trusts.
From my research it seems others have tried to solve the 'trust' problem when
there's two AD domains involved, not an IPA and AD domain. So it seems like a mac
specific problem perhaps.