[Freeipa-users] Choosing the right way to create trust
Sumit Bose
sbose at redhat.com
Wed Feb 12 11:06:08 UTC 2014
On Wed, Feb 12, 2014 at 11:45:50AM +0100, Petr Spacek wrote:
> On 12.2.2014 11:32, Alexander Bokovoy wrote:
> >On Wed, 12 Feb 2014, Genadi Postrilko wrote:
> >>What about adding alias DNS record of hostname.ipa.zone.corp to all linux
> >>machines, so they will keep the old FQDM.
> >What would it give to you?
> >
> >AD DC uses FQDN to decide which KDC is responsible to issue TGT (and
> >other tickets). If it belongs to its own DNS domain, no attempt to issue
> >cross-realm TGT will be done and Windows users will never get tickets to
> >services running on these IPA machines.
> >
> >You would really need to address IPA machines by their host names in
> >ipa.zone.corp domain and never by .zone.corp. At this point there is no
> >need to keep them in .zone.corp.
>
> Good point. May be that CNAMEs from old name to the new name (in IPA
> sub-tree) could solve your problem. Kerberos usually follows chain
> of CNAMEs so it should work.
This might work on the DNS level but the local hostname must match as
well, because services like e.g. sshd will search their keytab entries
with the help of the local hostname. It might be possible to configure
the services to use other keytab entries but I think it would be easier
to just move all hosts to a new domain then touching the configuration
of every single service.
bye,
Sumit
>
> Petr^2 Spacek
>
> >>On Feb 12, 2014 10:49 AM, "Martin Kosek" <mkosek at redhat.com> wrote:
> >>
> >>>On 02/11/2014 07:29 PM, Genadi Postrilko wrote:
> >>>> I work in environment where the AD is the DC of the windows machines ,
> >>>> while the linux machines (RHEL 5\6) are not centrally managed.
> >>>> I would like to create an IPA server to manage the linux machines while
> >>>> creating a trust with AD.
> >>>> The current situation is all windows and linux machines are under
> >>>> .zone.corp domain.
> >>>>>From what ive read at
> >>>>
> >>>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html
> >>>
> >>>,
> >>>> i can create trust when IPA is a subdomain of AD domain or when the
> >>>> domains are separate. I'm not sure what is the method i should approach.
> >>>> Can IPA be a dc inside the AD domain? Or should i create a subdomain for
> >>>> linux and then move all the linux machines to the new domain (I hope
> >>>not).
> >>>>
> >>>> Any advice?
> >>>
> >>>The key here is that for IPA and AD to be able to work together in a trust,
> >>>they need to be in separate domains with realm matching this domains. In
> >>>your
> >>>case, it seems to me that a following scenario would work the best:
> >>>
> >>>* AD with domain zone.corp and realm ZONE.CORP
> >>>* IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP
> >>>
> >>>Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated
> >>>from the AD DNS (or other DNS you use).
> >>>
> >>>More info here:
> >>>http://www.freeipa.org/page/Trusts
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list