[Freeipa-users] Choosing the right way to create trust
Sumit Bose
sbose at redhat.com
Wed Feb 12 08:45:47 UTC 2014
On Tue, Feb 11, 2014 at 08:29:43PM +0200, Genadi Postrilko wrote:
> I work in environment where the AD is the DC of the windows machines ,
> while the linux machines (RHEL 5\6) are not centrally managed.
> I would like to create an IPA server to manage the linux machines while
> creating a trust with AD.
> The current situation is all windows and linux machines are under
> .zone.corp domain.
> >From what ive read at
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html,
> i can create trust when IPA is a subdomain of AD domain or when the
> domains are separate. I'm not sure what is the method i should approach.
> Can IPA be a dc inside the AD domain? Or should i create a subdomain for
> linux and then move all the linux machines to the new domain (I hope not).
I'm afraid you have to move the linux machines to a separate domain
when you want to use trust. The reason is that Kerberos heavily depends
DNS and e.g use the fully qualified host names and DNS SRV records to
determine memberships to realm and KDCs in a realm.
HTH
bye,
Sumit
>
> Any advice?
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list