On su, 09 heinä 2017, Louis Abel via FreeIPA-users wrote:
I created a FreeIPA (ipa.angelsofclockwork.net
) and Active Directory
) and put them into a two way trust with
posix. I used these commands:
ipa-adtrust-install --enable-compat --add-agents
ipa trust-add --type=ad ad.angelsofclockwork.net
--admin lmabel --password --two-way=true
The users in AD have posix attributes assigned and those attributes are
in the global catalog. My linux clients can see the AD users when I do
a getent passwd user(a)ad.angelsofclockwork.net. So this is working as
- I used this guide to add our first mac to FreeIPA rather than AD.
This guide worked for the most part, but I cannot get it to see the
users across the trust boundary. I'm sure I'm either missing something
or mac's open directory utility doesn't support trusts like we would
think it should.
OpenDirectory only looks into a single LDAP server. FreeIPA LDAP
does not provide AD users in its own LDAP tree, thus OpenDirectory
cannot see them.
It is working as designed in a sense that OpenDirectory is not supported
for trusted users and never was supported.
Anyone have any suggestions? Or will I have to just connect my mac to
AD and work with it that way? I was trying to avoid having to add to
AD, but it seems like I'm going to have to go that route. Unless anyone
has experience with getting it to work across trusts. From my research
it seems others have tried to solve the 'trust' problem when there's
two AD domains involved, not an IPA and AD domain. So it seems like a
mac specific problem perhaps.
Yes, just connect to AD. We don't have much
support for macOS in the
trust to AD space.
/ Alexander Bokovoy