[Novalug] IDMU deprecated in Active Directory

Bryan J Smith b.j.smith@ieee.org
Tue May 26 21:35:48 EDT 2015


On Tue, May 26, 2015 at 8:12 PM, James Ewing Cottrell, III
<jecottrell3@comcast.net> wrote:
> Yes, I support much of what they want to do...
> Killing NIS is Fine

I think we all agree, there's little reason for NIS services,
especially since SSSD exists, and can read AD's IdM for UNIX (IETF
RFC2307 attributes) directly.

> but they MUST keep the UNIX Attributes Tab if they want to discourage IPA.

Yeah, this is what I don't understand.

I mean, without those attributes in AD, there's no way to make AD the
centralized store for them.  Everything else is locally (not
centrally) enumerated UID/GID, and nothing else can be "enumerated"
(e.g., homedir, etc...).

Unless, of course, Microsoft is conceding that AD Forest Trusts with
IPA is the better way to go.  I'd like to see what their explanation
is.

> Why don't you go there too and Comment? You don't even have to Register.

I might.

The only thing I can think of is that, now that SSSD exists and is
becoming commonplace, a lot of the $50-300/node CAL products like
Centrify, Likewise, etc... didn't like AD storing the attributes, and
SSSD could read them "for free."

-- bjs



More information about the Novalug mailing list