[Freeipa-users] DNS configuration

Dmitri Pal dpal at redhat.com
Mon Dec 8 15:29:15 UTC 2014 

On 12/08/2014 10:07 AM, Matthew Herzog wrote:
> My Linux/LDAP domain is lnx.e-bozo.com <http://lnx.e-bozo.com>. The AD 
> domain is ad.e-bozo.com <http://ad.e-bozo.com>. This has always been 
> the case. I set up my FreeIPA server in the lnx.e-bozo.com 
> <http://lnx.e-bozo.com> domain using realm LNX.E-BOZO.COM 
> <http://LNX.E-BOZO.COM>. In light of this, how should I proceed?

If you prefer to continue using your DNS servers then you need to add 
all DNS records that FreeIPA defined for you at the end of the 
installation, manually to your DNS.
As soon as you did this you should be able to establish the trust.

You would need to update your DNS server with any new replicas you add.

>
> On Mon, Dec 8, 2014 at 9:48 AM, Simo Sorce <simo at redhat.com 
> <mailto:simo at redhat.com>> wrote:
>
>     On Mon, 08 Dec 2014 08:58:46 -0500
>     Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>> wrote:
>
>     > > Perhaps I should have explained that we are not going to set up a
>     > > new DNS domain for the ipa-managed servers.
>
>     Note that if you cannot set up a new DNS domain and this domain is the
>     same as the AD domain then you cannot to the stuff Dmitri describe
>     below. The only way to have accounts on freeipa in this case is to use
>     the winsync method, which has a number of limitation.
>     Also clients will be rather confused when you try to
>     ipa-client-install as they will find AD servers instead of ipa
>     servers,
>     finally you'll have to use a different realm name for the IPA domain,
>     one that doesn't match the AD domain.
>
>     HTH,
>     Simo.
>
>     > > We have an Oracle dsee7
>     > > server doing LDAP for our Linux servers and accounts. We want to
>     > > migrate to IPA so we don't have to maintain a Linux/LDAP account
>     > > for every user who needs access to Linux servers. All of our users
>     > > start with an account in AD and since none of my predecessors knew
>     > > about Winbind, they set up dsee7.
>     > >
>     > > So I'm thinking we'll need to import all our dsee7 accounts AND
>     > > make it possible for AD users to access the Linux systems without
>     > > needing to create them in IPA.
>     >
>     >
>     > So the approach would be:
>     >
>     > 1) Install IPA (do not migrate users)
>     > 2) Establish trust with AD
>     > 3) Start switching client configuration from using LDAP with
>     dsee7 to
>     > SSSD pointing to IPA
>     >
>     > You do not need to migrate users.
>
>
>
>     --
>     Simo Sorce * Red Hat, Inc * New York
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go To http://freeipa.org for more info on the project
>
>
>
>
> -- 
> If life gives you melons, you may be dyslexic.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/d93b1927/attachment.htm>

More information about the Freeipa-users mailing list