[Freeipa-users] FreeIPA and AD trusts on the same DNS domain
Alston, David
David.Alston at sabre.com
Wed Aug 3 18:24:30 UTC 2016
Greetings!
Everyone seems to say that you can't have a domain trust across two Kerberos realms (FreeIPA and Active Directory) if the hosts share the same DNS domain.
Hadoop seems to do this just fine, though. I'm in the process of helping someone setup a trust between the Kerberos realms HADOOP.COMPANY.COM and COMPANY.COM and all of the servers use the company.com DNS domain. (see http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Security-Guide/cdh4sg_topic_15.html)
This seems to be standard practice for setting up hadoop clusters. Why wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts COMPANY.COM (with all involved servers having the "company.com" DNS domain)? As I understand it, the Kerberos realm FreeIPA uses can be specified during the initial setup and it doesn't have to match the domain.
--David Alston
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160803/4045ef9d/attachment.htm>
More information about the Freeipa-users
mailing list