[Freeipa-users] IPA Trusts

Martin Kosek mkosek at redhat.com
Tue Mar 17 07:34:01 UTC 2015 

Joshua or Erinn, can either of you please help us improve the docs and file a
bug for the Windows integration guide, about the section you are concerned with?

This is a direct link:
https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%207&component=doc-Windows_Integration_Guide

Thank you!
Martin

On 03/16/2015 09:56 PM, Gould, Joshua wrote:
> FWIW, we have IPA working with AD managed DNS. As Alexander mentioned,
> you¹ll need to have DNS properly configured. What I¹ve found is the most
> critical is having the SRV records properly defined for the AD domain and
> the IPA domains. I kind of wish the docs were a bit clearer on which of
> the SRV records were needed. Ex. They list ldap but I didn¹t see any
> mention of kerberos SRV records.
> 
> On 3/16/15, 3:16 PM, "Erinn Looney-Triggs" <erinn.looneytriggs at gmail.com>
> wrote:
> 
>> On Monday, March 16, 2015 09:13:56 PM Alexander Bokovoy wrote:
>>> On Mon, 16 Mar 2015, Erinn Looney-Triggs wrote:
>>>> Reading through the RHEL 7.1 documents on setting up a trust between
>>> IPA
>>>> and AD I came across a note that IPA had to be managing DNS in order
>>> for
>>>> this to work. Why is this? Is there any way around this? At this point
>>> the
>>>> DNS IPA would manage is DNSSEC signed and as such can't be managed by
>>> IPA,
>>>> it must be managed separately.
>>>
>>> It is unfortunate that documentation turns recommendations into a
>>> mandatory statements. IPA deployment depends heavily on properly
>>> configured DNS and we provide means to maintain DNS server with IPA
>>> tools. This, however, doesn't mean DNS is required to be maintained by
>>> IPA only. Instead, a properly maintained DNS setup is required, not that
>>> it is set up and controlled by IPA means.
>>>
>>> It is easier in many cases to use IPA-managed DNS but if you know what
>>> you are doing, all we ask is to have proper DNS entries in your DNS
>>> infrastructure prior to using IPA commands which require these entries
>>> to exist (or be created, had the DNS infrastructure been managed by
>>> IPA).
>>
>> Ok thanks, I sort of figured that was probably the case, but I wanted to
>> check 
>> to make sure.
>>
>> -Erinn
> 
> 
>

More information about the Freeipa-users mailing list