[Freeipa-users] Choosing the right way to create trust
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 12 10:32:24 UTC 2014
On Wed, 12 Feb 2014, Genadi Postrilko wrote:
>What about adding alias DNS record of hostname.ipa.zone.corp to all linux
>machines, so they will keep the old FQDM.
What would it give to you?
AD DC uses FQDN to decide which KDC is responsible to issue TGT (and
other tickets). If it belongs to its own DNS domain, no attempt to issue
cross-realm TGT will be done and Windows users will never get tickets to
services running on these IPA machines.
You would really need to address IPA machines by their host names in
ipa.zone.corp domain and never by .zone.corp. At this point there is no
need to keep them in .zone.corp.
>On Feb 12, 2014 10:49 AM, "Martin Kosek" <mkosek at redhat.com> wrote:
>
>> On 02/11/2014 07:29 PM, Genadi Postrilko wrote:
>> > I work in environment where the AD is the DC of the windows machines ,
>> > while the linux machines (RHEL 5\6) are not centrally managed.
>> > I would like to create an IPA server to manage the linux machines while
>> > creating a trust with AD.
>> > The current situation is all windows and linux machines are under
>> > .zone.corp domain.
>> >>From what ive read at
>> >
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html
>> ,
>> > i can create trust when IPA is a subdomain of AD domain or when the
>> > domains are separate. I'm not sure what is the method i should approach.
>> > Can IPA be a dc inside the AD domain? Or should i create a subdomain for
>> > linux and then move all the linux machines to the new domain (I hope
>> not).
>> >
>> > Any advice?
>>
>> The key here is that for IPA and AD to be able to work together in a trust,
>> they need to be in separate domains with realm matching this domains. In
>> your
>> case, it seems to me that a following scenario would work the best:
>>
>> * AD with domain zone.corp and realm ZONE.CORP
>> * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP
>>
>> Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated
>> from the AD DNS (or other DNS you use).
>>
>> More info here:
>> http://www.freeipa.org/page/Trusts
>>
>> Martin
>>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list