[Freeipa-users] need info on AD / IPA coexistence

Thu Mar 8 12:40:10 UTC 2012

>is abcd.ca your windows domain ?
yes in this example

ipa-server-install
-a xxxxxxxxxxxxxxxxxx \
--hostname=ipa1.unix.abcd.ca \
-n unix.abcd.ca \
-p xxxxxxxxxxxxxxxxxxx \
-r UNIX.ABCD.CA <http://unix.abcd.ca/> \
--subject=subject_DN  \ #Sets the base element for the subject DN of the
issued certificates. This defaults to O=realm.
--forwarder=ad_dns.abcd.ca \
--no-reverse    \ #???? Does not create a reverse DNS zone when the DNS
domain is set up.
--setup-dns \
--idmax=number  \ #???Sets the upper bound for IDs which can be assigned by
the IPA server. The default value is the ID start value plus 199999.
--idstart=10000 #???? will have to check with AD I guess

IPA server will become unix master DNS for UNIX
current unix server fqdn will remain on abcd.ca
current unix server will have dns,ntp,kdc,ldap from ipa
realm will be equal to domain name = unix.abcd.ca

When I will have resolve "getent passwd admin" issue
I believe I will be able to su - admin on any unix server
and will be able to start thinking about what next like winsync
then create ipa slave = ipa2.unix.abcd.ca
Define SRV in bind unix.abcd.ca
test all our supported Unix platform, especially AIX,
Does anyone was successful to hook their HP ilo, RHEV manager to IPA?

Will have to convince many people to achieve this set-up, but I am sure it
worth it!

Thank you! you guys Rock!

Sylvain

2012/3/8 Ondrej Valousek <ondrejv at s3group.cz>

> **
> Side note:
> You can manage AD integrated DNS from unix host easily with just 'nsupdate
> -g' - so theoretically (ok I undestand you have to have a proper Kerberos
> TGT...) IPA client could be able to autoconfigure (create all the necessary
> SRV records) AD DNS, too. Not sure if we even wanted that. but
> theoretically, it should be possible.
>
> Ondrej
>
>
> On 03/07/2012 08:11 PM, Simo Sorce wrote:
>
> On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote:
>
>  Hello All,
> We are facing the same difficulties here with coexistence with
> Microsoft AD
> on the same network
>
> Whenever I run ipa-client-install
>
> # ipa-client-install --server=server.abcd.ca --domain=abcd.ca
> --realm=UNIX
> DNS domain 'unix' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: client.abcd.ca
> Realm: UNIX
> DNS Domain: abcd.ca
> IPA Server: server.abcd.ca
> BaseDN: dc=unix
>
>
>
>  is abcd.ca your windows domain ?
>
> although we support specifying a realm that is not identical to the DNS
> domain I strongly suggest you do not do so if you do not want to
> experience some trouble and to assing to your UNIX domain it's own DNS
> domain that matches the realm. If you do not do that things can still
> work, but not w/o some minor annoyances.
> For example discovery will fail as you find out because the DNS domain
> is owned by the AD realm. You also have to make sure you properly map
> realms to domains correctly in various clients.
>
> Simo.
>
>
>
> ------------------------------
> The information contained in this e-mail and in any attachments is
> confidential and is designated solely for the attention of the intended
> recipient(s). If you are not an intended recipient, you must not use,
> disclose, copy, distribute or retain this e-mail or any part thereof. If
> you have received this e-mail in error, please notify the sender by return
> e-mail and delete all copies of this e-mail from your computer system(s).
> Please direct any additional queries to: communications at s3group.com.
> Thank You. Silicon and Software Systems Limited. Registered in Ireland no.
> 378073. Registered Office: South County Business Park, Leopardstown, Dublin
> 18
> ------------------------------
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-- 
Sylvain Angers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120308/f5dabee1/attachment.htm>