[Freeipa-users] FreeIPA trusts with 2003 R2
Alexander Bokovoy
abokovoy at redhat.com
Wed Jun 19 12:59:01 UTC 2013
On Wed, 19 Jun 2013, Brian Lee wrote:
>Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I
>noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately
>our organization has not completed the migration to 2008 R2 yet. I know,
>we're a little behind the curve on that, but fortunately Windows servers
>aren't my responsibility ;-)
>
>If the Kerberos realms are separate between Active Directory and FreeIPA,
>why does the domain controller need to be Windows 2008 R2 for an external
>trust? From what I understand, there is no difference in an external trust
>in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012.
Please note that actual requirement is to have functional level 2008 or
above, for cross-forest trusts.
In our limited testing using functional level 2003 things did not work
as expected. We didn't look deeper because functional level 2003 also lacks
AES encryption and making it working with weaker encryption for TGT was to
force downgrading encryption on IPA side, aside from unclear issues with RPC calls.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list