<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/29/2015 04:39 PM, Hugh wrote:<br>
</div>
<blockquote
cite="mid:CAOc28g7_wHAdRnB+Qy2Ad+h9JVe0g-0btG-a2GGLvYuwMcX9MA@mail.gmail.com"
type="cite">
<div dir="ltr">
<p>All,</p>
<p>I've been trying to get our new AD environment and our
existing IPA environment all happy, but am having little luck.
To start, our info and a few questions:</p>
<p>IPA servers running CentOS 6.5 and ipa-server-3.0.0-42<br>
Windows DC servers running Windows Server 2012</p>
<p>Anonymized domain info:<br>
IPA NetBIOS domain: IPA<br>
IPA DNS domain: <a moz-do-not-send="true"
href="http://domain.com">domain.com</a><br>
WIN NetBIOS domain: AD<br>
WIN DNS domain: <a moz-do-not-send="true"
href="http://win.domain.com">win.domain.com</a></p>
<p>AD environment using itself for DNS, IPA environment using
external DNS (Cobbler/Bind). The appropriate _tcp, _ldap, etc.
DNS entries have been created in the <a
moz-do-not-send="true" href="http://domain.com">domain.com</a>
domain in Bind. I have set up users in IPA and AD with the
same username and added a name mapping in AD to <a
moz-do-not-send="true" href="mailto:username@DOMAIN.COM">username@DOMAIN.COM</a>.
</p>
<p><br>
</p>
</div>
</blockquote>
<br>
How are the domains connected? Do you use trust or sync?<br>
<br>
<br>
<blockquote
cite="mid:CAOc28g7_wHAdRnB+Qy2Ad+h9JVe0g-0btG-a2GGLvYuwMcX9MA@mail.gmail.com"
type="cite">
<div dir="ltr">
<p>1) Is it possible to log into a workstation that's been
joined to a domain with IPA credentials?</p>
</div>
</blockquote>
<br>
You mean can I access a Windows workstation joined to AD domain by
user from IPA domain?<br>
No it is not implemented. It will require Global Catalog support in
IPA.<br>
<br>
<blockquote
cite="mid:CAOc28g7_wHAdRnB+Qy2Ad+h9JVe0g-0btG-a2GGLvYuwMcX9MA@mail.gmail.com"
type="cite">
<div dir="ltr">
<p>2) If so, what are the minimum requirements for that? Do I
need to run FreeIPA 3.3 on CentOS 7? FreeIPA 4 on Fedora?
Something else?</p>
<div>3) Is there any way to log into the domain workstation with
the NetBIOS domain and username and have it authenticate
against the IPA environment? As in AD\username instead of <a
moz-do-not-send="true" href="mailto:username@DOMAIN.COM">username@DOMAIN.COM</a>?
If only the latter will work, will users be able to map drives
and access other AD resources without being prompted for
username/pass?<br>
</div>
</div>
</blockquote>
<br>
You seem to be looking for the full mutual trust capability. It is
not there yet.<br>
Help is welcome!<br>
<br>
<blockquote
cite="mid:CAOc28g7_wHAdRnB+Qy2Ad+h9JVe0g-0btG-a2GGLvYuwMcX9MA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
4) For initial setup of users, do the passwords for the AD and
IPA accounts need to be the same? Will a password change in
the Windows environment change the IPA password?<br>
</div>
</div>
</blockquote>
<br>
If you use sync then users and passwords are synced.<br>
If you use trust, users stay where they are created (in AD or in
IPA) and client is redirected to the AD or IPA domain the user is
created in.<br>
<br>
<blockquote
cite="mid:CAOc28g7_wHAdRnB+Qy2Ad+h9JVe0g-0btG-a2GGLvYuwMcX9MA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
Any other hints, etc. for how to get this all working would be
appreciated. I've gone through the FreeIPA AD Trust page(s)
and various other sources, but am unclear on how things should
work and whether or not I'm doing something wrong. Our old
Windows 2003 domain is authenticating fine against MIT
Kerberos, so I'm rather surprised how difficult this is
proving to be.<br>
</div>
</div>
</blockquote>
<br>
If you just want to use IPA for windows you for now have to use the
same Kerberos setup on Windows workstations as you have in the old
domain.<br>
The main point if IPA is to server Linux clients not to replace AD.
The AD can be replaced with Samba 4 and we are working on making it
support trusts with IPA.<br>
<blockquote
cite="mid:CAOc28g7_wHAdRnB+Qy2Ad+h9JVe0g-0btG-a2GGLvYuwMcX9MA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
Many thanks in advance,<br>
<br>
Hugh<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>