[Freeipa-users] winsyncs - multiple

Dmitri Pal dpal at redhat.com
Fri Nov 29 07:29:10 UTC 2013 

On 11/27/2013 07:19 PM, Steven Jones wrote:
> Hi,
>
> I currently have a winsync agreement from one AD domain to one of three IPA servers, works fine.
>
> Can I set up another winsync agreement from a different AD to one of the other IPA servers and one way sync that as well?
>
> The obvious risk is a user id clash, but both domains have different naming policy.

You are on the right path to answer to your own question. ;-)
Yes this can be done and "might" work but since software can't guarantee
uniqueness it is discouraged.
If the naming policy is not that "clean" you might end up with an
inconsistent behavior that is had to troubleshoot.

>
> So can this be done?
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University ITS,
>
> Level 8 Rankin Brown Building,
>
> Wellington, NZ
>
> 6012
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Matt Bryant [matthew.bryant at melbourneit.com.au]
> Sent: Thursday, 28 November 2013 12:48 p.m.
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Trust between IPA and another MIT Kerberos Realm
>
> Simo,
>
> Thanks for that .. using that switch the principle is now created on to
> see it it works as expected ..
>
> rgds
>
> Matt B.
>
> On 11/28/2013 09:10 AM, Simo Sorce wrote:
>> On Thu, 2013-11-28 at 08:29 +1000, Matt Bryant wrote:
>>> Simo,
>>>
>>> Have added the following into bugzilla ..
>>>
>>> Bug 1035494 has been added to the database
>>>
>>> seems strange but whilst listprincs/getprinc works getpols and the
>>> addprinc (at least in this use case) doesnt...
>> addprinc not working for normal user principals is expected, we block it
>> to prevent the creation of incomplete user accounts.
>>
>> I think getpols is also expected to fail as we use IPA specific
>> policies.
>>
>> However it should allow you to create krbtgt/OLD-REALM at IPA-REALM to set
>> up trusts until we provide an explicit command for it. This is why I
>> wanted you to open a bug on that.
>>
>>> ie
>>> kadmin.local:  add_principal -pw XXXXXXX krbtgt/OLD-REALM at IPA-REALM
>>> WARNING: no policy specified for krbtgt/OLD-REALM at IPA-REALM;
>>> defaulting to no policy
>>> add_principal: Invalid argument while creating
>>> "krbtgt/OLD-REALM at IPA-REALM".
>> Now that I think of it, there is an undocumented switch that will allow
>> you to create an arbitrary principal. This switch should NEVER be used
>> to create user principals or normal host principals, however it should
>> allow you to workaround the issue until we can fix the kadmin interface.
>>
>> Use kadmin.local -x ipa-setup-override-restrictions
>>
>> But please use it exclusively to create the krbtgt/REALM1 at REALM2
>> principals and nothing else.
>>
>> Simo.
>>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list