[Freeipa-users] need info on AD / IPA coexistence

Sylvain Angers sylvainangers at gmail.com
Wed Mar 7 18:38:34 UTC 2012 

2012/2/23 Simo Sorce <simo at redhat.com>

> On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote:
> > I would not expect that there would be any problem with AD and IPA
> > coexisting when the realm names are different, but I have heard
> > reports that there are problems, especially when Linux clients are
> > configured to use AD for DNS.  Trying to figure out what the problem
> > is.  I understand your delegated dns setup.  What if the customer must
> > use AD for all DNS?
>
> The only "problem" you may have is that you have to manually set all the
> SRV and TXT records.
> It's tedious but nothing heart breaking.
>
> Clients will not be able to do DNS updates if the DNS is not managed by
> IPA.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



Hello All,
We are facing the same difficulties here with coexistence with Microsoft AD
on the same network

Whenever I run ipa-client-install

# ipa-client-install --server=server.abcd.ca --domain=abcd.ca --realm=UNIX
DNS domain 'unix' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: client.abcd.ca
Realm: UNIX
DNS Domain: abcd.ca
IPA Server: server.abcd.ca
BaseDN: dc=unix


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at UNIX:

Enrolled in IPA realm UNIX
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX
SSSD enabled

*Unable to find 'admin' user with 'getent passwd admin'!*

Recognized configuration: SSSD
NTP enabled
Client configuration complete.


and when I sniff via wireshark while doing getent passwd admin, I get

many time this snipet, with all the Microsoft AD server in the loop

165.115.52.21 = our windows dns server
165.115.40.149 = our ipa client
165.115.40.144
165.115.126.210 = windows AD domain controller
165.115.212.167 = windows AD domain controller



 31.784008 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.52.21
 31.784308 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [SYN] Seq=0
Win=14600 Len=0 MSS=1460 TSV=5217133 TSER=0 WS=7
 31.784518 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
 31.784538 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=1
Ack=1 Win=14720 Len=0 TSV=5217133 TSER=0
 31.784873 165.115.40.149 -> 165.115.52.21 LDAP searchRequest(1) "<ROOT>"
baseObject
 31.785487 165.115.52.21 -> 165.115.40.149 TCP [TCP segment of a
reassembled PDU]
 31.785505 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=229
Ack=1449 Win=17536 Len=0 TSV=5217134 TSER=13371643
 31.785522 165.115.52.21 -> 165.115.40.149 LDAP searchResEntry(1) "<ROOT>"
 31.785531 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=229
Ack=2314 Win=20480 Len=0 TSV=5217134 TSER=13371643
 31.786016 165.115.40.149 -> 165.115.52.21 DNS Standard query A
jac-rg-i01.cn.ca
 31.786301 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.126.210
 31.790918 165.115.40.149 -> 165.115.126.210 KRB5 AS-REQ
 31.826597 165.115.126.210 -> 165.115.40.149 KRB5 KRB Error:
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
 31.827485 165.115.40.149 -> 165.115.52.21 LDAP unbindRequest(2)




 31.827518 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [FIN, ACK]
Seq=236 Ack=2314 Win=20480 Len=0 TSV=5217176 TSER=13371643
 31.827763 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [ACK] Seq=2314
Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176
 31.827786 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [FIN, ACK]
Seq=2314 Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176
 31.827795 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=237
Ack=2315 Win=20480 Len=0 TSV=5217177 TSER=13371643
 31.827856 165.115.40.149 -> 165.115.52.21 DNS Standard query A
gnp-yd-i01.cn.ca
 31.828112 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.207.219
 31.828393 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [SYN] Seq=0
Win=14600 Len=0 MSS=1460 TSV=5217177 TSER=0 WS=7
 31.860256 165.115.207.219 -> 165.115.40.149 TCP ldap > 56123 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1360 WS=0 TSV=0 TSER=0
 31.860313 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=1
Ack=1 Win=14720 Len=0 TSV=5217209 TSER=0
 31.860488 165.115.40.149 -> 165.115.207.219 LDAP searchRequest(1) "<ROOT>"
baseObject
 31.901748 165.115.207.219 -> 165.115.40.149 TCP [TCP segment of a
reassembled PDU]
 31.901767 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=229
Ack=1349 Win=17536 Len=0 TSV=5217251 TSER=15563619
 31.907040 165.115.207.219 -> 165.115.40.149 LDAP searchResEntry(1) "<ROOT>"
 31.907054 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=229
Ack=2314 Win=20224 Len=0 TSV=5217256 TSER=15563619
 31.907540 165.115.40.149 -> 165.115.52.21 DNS Standard query A
prg-yd-i02.cn.ca
 31.907883 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.212.167
 31.911870 165.115.40.149 -> 165.115.212.167 KRB5 AS-REQ
 31.995533 165.115.212.167 -> 165.115.40.149 KRB5 KRB Error:
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
 31.996253 165.115.40.149 -> 165.115.207.219 LDAP unbindRequest(2)

it does this snippet on every AD server before geting back empty

We wonder if we need to create a subdomain with FREEIP master of that
subdomain...

Any help would be appreciate

Regards

-- 
Sylvain Angers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120307/b50e07c9/attachment.htm>

More information about the Freeipa-users mailing list