<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000066">
+1. Use DNS. I agree with Simo.<br>
<br>
On 08/21/2012 10:04 AM, Simo Sorce wrote:
<blockquote
cite="mid:464630960.8159132.1345536250787.JavaMail.root@redhat.com"
type="cite">
<pre wrap="">You are not alone but we strongly suggest to use a separate DNS domain for FreeIPA server, and if possible for its clients. Either a same level domain or, at least, a delegated zone.
For example:
corp.domain.com -> AD
unix.domain.com -> FreeIPA
with forwards between them.
Or
domain.com -> AD
domain.net -> FreeIPA
again with forwards
Or
domain.com -> AD
unix.domain.com -> FreeIPA
with Ad delegating out the unix. subdomain to FreeIPA.
In general we strongly suggest not using the same DNS domain for AD and FreeIPA domain as using the same domain name makes it impossible to have kerberos level interop between the 2 domains otherwise (cannot establish trust relationships if they use the same DNS domain and/or the same realm name for example).
</pre>
</blockquote>
</body>
</html>