Not worried about Windows 10 Home. All the machines have Pro. I also have no issues running real Windows Server domain controllers.
I do want to be able to use policy features in IPA like HBAC, sudo rules, etc. Will a trust without synced local users cause any issues with that?
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Fri, Oct 22, 2021, 12:42 AM Jonathan Aquilina jaquilina@eagleeyet.net wrote:
Hi Guys,
Long time lurker. I can confirm in order to join an AD domain you need at least win 10 Pro
The below using Samba isn’t a bad idea in all fairness. The question becomes though how would you join an windows 10 home machine to the samba AD controller?
Regards, Jonathan
-----Original Message----- From: Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> Sent: 22 October 2021 06:32 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Yehuda Katz yehuda@ymkatz.net; Alexander Bokovoy < abokovoy@redhat.com> Subject: [Freeipa-users] Re: Recommendations for completely new IPA and AD
On to, 21 loka 2021, Yehuda Katz via FreeIPA-users wrote:
I was asked to set up a completely new network for a non-profit. They have a mix of Windows and Linux (mostly Ubuntu) machines. Until now I have only used FreeIPA (or RedHat IDM) in a standalone configuration. Is there any kind of best practices documentation for this situation? A discussion of a sync vs. trust approach? Any known gotchas?
Things to consider:
Windows machines cannot be enrolled into FreeIPA, they have to be enrolled into Active Directory
If users are all on Active Directory side, they can login to FreeIPA-enrolled machines through trust to Active Directory
While winsync plugin allows to synchronize users from Active Directory side to FreeIPA (they become FreeIPA users), this is of limited functionality and in general not going to live well in future as we consider deprecating this approach
It used to be that non-Pro versions of Windows weren't possible to join to Active Directory. I'd rather checked what is in use before planning it.
For a non-profit it is probably worth to consider deploying Samba AD as your Active Directory configuration.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://link.edgepilot.com/s/353e228f/dztk3XYEi0aFWaiQj6NYgQ?u=https://docs.... List Guidelines: https://link.edgepilot.com/s/5d76def5/Td4UrtlZ6EOnNh9n6-3LKQ?u=https://fedor... List Archives: https://link.edgepilot.com/s/272b5696/8xmEHAzD_kibpiI-63hpXQ?u=https://lists... Do not reply to spam on the list, report it: https://link.edgepilot.com/s/0f57d6da/-ls6zhlc-0uuBKO_6RvycA?u=https://pagur...
On pe, 22 loka 2021, Yehuda Katz wrote:
Not worried about Windows 10 Home. All the machines have Pro. I also have no issues running real Windows Server domain controllers.
I do want to be able to use policy features in IPA like HBAC, sudo rules, etc. Will a trust without synced local users cause any issues with that?
It will work just fine -- follow RHEL IdM documentation on this.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Fri, Oct 22, 2021, 12:42 AM Jonathan Aquilina jaquilina@eagleeyet.net wrote:
Hi Guys,
Long time lurker. I can confirm in order to join an AD domain you need at least win 10 Pro
The below using Samba isn’t a bad idea in all fairness. The question becomes though how would you join an windows 10 home machine to the samba AD controller?
Regards, Jonathan
-----Original Message----- From: Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> Sent: 22 October 2021 06:32 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Yehuda Katz yehuda@ymkatz.net; Alexander Bokovoy < abokovoy@redhat.com> Subject: [Freeipa-users] Re: Recommendations for completely new IPA and AD
On to, 21 loka 2021, Yehuda Katz via FreeIPA-users wrote:
I was asked to set up a completely new network for a non-profit. They have a mix of Windows and Linux (mostly Ubuntu) machines. Until now I have only used FreeIPA (or RedHat IDM) in a standalone configuration. Is there any kind of best practices documentation for this situation? A discussion of a sync vs. trust approach? Any known gotchas?
Things to consider:
Windows machines cannot be enrolled into FreeIPA, they have to be enrolled into Active Directory
If users are all on Active Directory side, they can login to FreeIPA-enrolled machines through trust to Active Directory
While winsync plugin allows to synchronize users from Active Directory side to FreeIPA (they become FreeIPA users), this is of limited functionality and in general not going to live well in future as we consider deprecating this approach
It used to be that non-Pro versions of Windows weren't possible to join to Active Directory. I'd rather checked what is in use before planning it.
For a non-profit it is probably worth to consider deploying Samba AD as your Active Directory configuration.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://link.edgepilot.com/s/353e228f/dztk3XYEi0aFWaiQj6NYgQ?u=https://docs.... List Guidelines: https://link.edgepilot.com/s/5d76def5/Td4UrtlZ6EOnNh9n6-3LKQ?u=https://fedor... List Archives: https://link.edgepilot.com/s/272b5696/8xmEHAzD_kibpiI-63hpXQ?u=https://lists... Do not reply to spam on the list, report it: https://link.edgepilot.com/s/0f57d6da/-ls6zhlc-0uuBKO_6RvycA?u=https://pagur...
freeipa-users@lists.fedorahosted.org