[Freeipa-users] DNS configuration
Simo Sorce
simo at redhat.com
Mon Dec 8 14:48:01 UTC 2014
On Mon, 08 Dec 2014 08:58:46 -0500
Dmitri Pal <dpal at redhat.com> wrote:
> > Perhaps I should have explained that we are not going to set up a
> > new DNS domain for the ipa-managed servers.
Note that if you cannot set up a new DNS domain and this domain is the
same as the AD domain then you cannot to the stuff Dmitri describe
below. The only way to have accounts on freeipa in this case is to use
the winsync method, which has a number of limitation.
Also clients will be rather confused when you try to
ipa-client-install as they will find AD servers instead of ipa servers,
finally you'll have to use a different realm name for the IPA domain,
one that doesn't match the AD domain.
HTH,
Simo.
> > We have an Oracle dsee7
> > server doing LDAP for our Linux servers and accounts. We want to
> > migrate to IPA so we don't have to maintain a Linux/LDAP account
> > for every user who needs access to Linux servers. All of our users
> > start with an account in AD and since none of my predecessors knew
> > about Winbind, they set up dsee7.
> >
> > So I'm thinking we'll need to import all our dsee7 accounts AND
> > make it possible for AD users to access the Linux systems without
> > needing to create them in IPA.
>
>
> So the approach would be:
>
> 1) Install IPA (do not migrate users)
> 2) Establish trust with AD
> 3) Start switching client configuration from using LDAP with dsee7 to
> SSSD pointing to IPA
>
> You do not need to migrate users.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list