[Freeipa-users] IPA Trusts

[Gould, Joshua]

FWIW, we have IPA working with AD managed DNS. As Alexander mentioned,
you¹ll need to have DNS properly configured. What I¹ve found is the most
critical is having the SRV records properly defined for the AD domain and
the IPA domains. I kind of wish the docs were a bit clearer on which of
the SRV records were needed. Ex. They list ldap but I didn¹t see any
mention of kerberos SRV records.

On 3/16/15, 3:16 PM, "Erinn Looney-Triggs" <erinn.looneytriggs at gmail.com>
wrote:

>On Monday, March 16, 2015 09:13:56 PM Alexander Bokovoy wrote:
>> On Mon, 16 Mar 2015, Erinn Looney-Triggs wrote:
>> >Reading through the RHEL 7.1 documents on setting up a trust between
>>IPA
>> >and AD I came across a note that IPA had to be managing DNS in order
>>for
>> >this to work. Why is this? Is there any way around this? At this point
>>the
>> >DNS IPA would manage is DNSSEC signed and as such can't be managed by
>>IPA,
>> >it must be managed separately.
>> 
>> It is unfortunate that documentation turns recommendations into a
>> mandatory statements. IPA deployment depends heavily on properly
>> configured DNS and we provide means to maintain DNS server with IPA
>> tools. This, however, doesn't mean DNS is required to be maintained by
>> IPA only. Instead, a properly maintained DNS setup is required, not that
>> it is set up and controlled by IPA means.
>> 
>> It is easier in many cases to use IPA-managed DNS but if you know what
>> you are doing, all we ask is to have proper DNS entries in your DNS
>> infrastructure prior to using IPA commands which require these entries
>> to exist (or be created, had the DNS infrastructure been managed by
>> IPA).
>
>Ok thanks, I sort of figured that was probably the case, but I wanted to
>check 
>to make sure.
>
>-Erinn