[Freeipa-users] Choosing the right way to create trust
Martin Kosek
mkosek at redhat.com
Wed Feb 12 08:49:00 UTC 2014
On 02/11/2014 07:29 PM, Genadi Postrilko wrote:
> I work in environment where the AD is the DC of the windows machines ,
> while the linux machines (RHEL 5\6) are not centrally managed.
> I would like to create an IPA server to manage the linux machines while
> creating a trust with AD.
> The current situation is all windows and linux machines are under
> .zone.corp domain.
>>From what ive read at
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html,
> i can create trust when IPA is a subdomain of AD domain or when the
> domains are separate. I'm not sure what is the method i should approach.
> Can IPA be a dc inside the AD domain? Or should i create a subdomain for
> linux and then move all the linux machines to the new domain (I hope not).
>
> Any advice?
The key here is that for IPA and AD to be able to work together in a trust,
they need to be in separate domains with realm matching this domains. In your
case, it seems to me that a following scenario would work the best:
* AD with domain zone.corp and realm ZONE.CORP
* IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP
Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated
from the AD DNS (or other DNS you use).
More info here:
http://www.freeipa.org/page/Trusts
Martin
More information about the Freeipa-users
mailing list