[Freeipa-users] Master level IPA server
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 30 05:03:01 UTC 2015
On Wed, 29 Apr 2015, Aric Wilisch wrote:
>Is it possible to setup a Master level FreeIPA domain, then have 3 sub
>level domains use it for authentication?
>
>So master server at say ipa.domain.com <http://ipa.domain.com/>, then
>have a secondary zone that is ipa2.sub1.domain.com
><http://ipa2.sub1.domain.com/>.
This is possible. As long as DNS domains of IPA do not overlap with DNS
domains of Active Directory deployment, or any other Kerberos realm,
things should work.
>
>We have 3 different environments that need to stay separated. We were
>going to have them all authenticate to an Active Directory domain but
>getting that setup is turning into a real issue. So if possible I would
>like to have a master level IPA server, then three sub level IPA
>servers that authenticate against it, then have our Windows Terminal
>Servers authenticate against it as well if possible.
You cannot login to Windows machines by authenticating against IPA right
now, this is not supported.
You can establish cross-forest trust between IPA realm and Active
Directory and then login to IPA machines with Active Directory
credentials. If this is not what you want, IPA is not yet supporting
your case.
There isn't enough details to see what is your issue, though.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list