[Freeipa-users] IPA, Samba and AD
Alexander Bokovoy
abokovoy at redhat.com
Wed Jul 3 14:19:44 UTC 2013
On Wed, 03 Jul 2013, Fred van Zwieten wrote:
>1. Do you have the same realms for both IPA and AD?
>Yes.
>
>2. Do you have exactly same DNS domains for both IPA and AD?
>Also yes. Because of this we must, for now, maintain 2 seperate DNS
>implementations: one for AD and one for IPA, because otherwise the service
>records would name-clash.
>
>If I get correctly from the above description, your new RHEL 6.4 server
>is enrolled into IPA domain, i.e. its host keytab contains keys to
>the host service coming from IPA KDC. It probably also uses SSSD in both
>nsswitch and PAM configurations?
>Correct!
>
>Are you planning to use pam_winbind/nss_winbind for the Samba/AD
>interoperability?
>I don't know yet. It depends on what works best with this setup. I am not
>(yet) a Samba wunderguy, so these discussions help me (thanks for that).
I'm not sure that this configuration will work flawlessly.
If the host is not enrolled to IPA realm, you can easily make it
working against AD domain. If you enrolled the host to IPA realm which
is exactly same as AD domain, both DNS and krb5.conf collisions will be
creating quite serious issues. Basically, it is 'either - either' case.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list