On ti, 17 heinä 2018, paul mitchell via FreeIPA-users wrote:
We currently have a single AD (2016) domain, company.co.uk. The DNS
zone file is managed by Active Directory, so all machines (Windows and
Linux) are listed in the zone file. Windows users authenticate against
AD and Linux users authenticate against a separate NIS server. We are
considering replacing NIS with a FreeIPA server. The most important
consideration is to maintain the *ix users GUID and UID data that is
currently stored on the NIS sever. If this data could be stored in AD,
then we probable would not be considering FreeIPA. A typical *ix user
workflow is for the user to ssh from their local machine to one of 20
developments servers. The user GUID and UID must be the same
regardless of which machine they access. We don’t currently have any
username/password synchronisation between AD and NIS so this is not a
requirement. It’s clear that enable a trust between FreeIPA and AD, we
would need to create a separate IPA domain.
I assume all 20 development servers would need to be added to the IPA
Let me ask you few clarifying questions.
So there are:
- users in Active Directory, they are not the same as '*ix' users in
- users in NIS, with their attributes
- '*ix' servers run some sort of an operating system which you can
integrated with FreeIPA
For those servers, are you able to run SSSD on them?
For those '*ix' users, you'd most likely import them into IPA as normal
IPA users. See https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
If they are actually a reflection of AD users, then it might be better
to avoid importing them at all and instead use ID overrides.
For users in AD, you can use 'Default trust view' to define required
override for each user, using those UIDs and GIDs from NIS, if needed.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland