[Freeipa-users] Choosing the right way to create trust
Petr Spacek
pspacek at redhat.com
Wed Feb 12 10:45:50 UTC 2014
On 12.2.2014 11:32, Alexander Bokovoy wrote:
> On Wed, 12 Feb 2014, Genadi Postrilko wrote:
>> What about adding alias DNS record of hostname.ipa.zone.corp to all linux
>> machines, so they will keep the old FQDM.
> What would it give to you?
>
> AD DC uses FQDN to decide which KDC is responsible to issue TGT (and
> other tickets). If it belongs to its own DNS domain, no attempt to issue
> cross-realm TGT will be done and Windows users will never get tickets to
> services running on these IPA machines.
>
> You would really need to address IPA machines by their host names in
> ipa.zone.corp domain and never by .zone.corp. At this point there is no
> need to keep them in .zone.corp.
Good point. May be that CNAMEs from old name to the new name (in IPA sub-tree)
could solve your problem. Kerberos usually follows chain of CNAMEs so it
should work.
Petr^2 Spacek
>> On Feb 12, 2014 10:49 AM, "Martin Kosek" <mkosek at redhat.com> wrote:
>>
>>> On 02/11/2014 07:29 PM, Genadi Postrilko wrote:
>>> > I work in environment where the AD is the DC of the windows machines ,
>>> > while the linux machines (RHEL 5\6) are not centrally managed.
>>> > I would like to create an IPA server to manage the linux machines while
>>> > creating a trust with AD.
>>> > The current situation is all windows and linux machines are under
>>> > .zone.corp domain.
>>> >>From what ive read at
>>> >
>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html
>>>
>>> ,
>>> > i can create trust when IPA is a subdomain of AD domain or when the
>>> > domains are separate. I'm not sure what is the method i should approach.
>>> > Can IPA be a dc inside the AD domain? Or should i create a subdomain for
>>> > linux and then move all the linux machines to the new domain (I hope
>>> not).
>>> >
>>> > Any advice?
>>>
>>> The key here is that for IPA and AD to be able to work together in a trust,
>>> they need to be in separate domains with realm matching this domains. In
>>> your
>>> case, it seems to me that a following scenario would work the best:
>>>
>>> * AD with domain zone.corp and realm ZONE.CORP
>>> * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP
>>>
>>> Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated
>>> from the AD DNS (or other DNS you use).
>>>
>>> More info here:
>>> http://www.freeipa.org/page/Trusts
More information about the Freeipa-users
mailing list