[Freeipa-users] FreeIPA and AD trusts on the same DNS domain
Simo Sorce
simo at redhat.com
Wed Aug 3 18:28:15 UTC 2016
On Wed, 2016-08-03 at 13:24 -0500, Alston, David wrote:
> Greetings!
>
> Everyone seems to say that you can't have a domain trust across two Kerberos realms (FreeIPA and Active Directory) if the hosts share the same DNS domain.
>
> Hadoop seems to do this just fine, though. I'm in the process of helping someone setup a trust between the Kerberos realms HADOOP.COMPANY.COM and COMPANY.COM and all of the servers use the company.com DNS domain. (see http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Security-Guide/cdh4sg_topic_15.html)
>
> This seems to be standard practice for setting up hadoop clusters. Why wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts COMPANY.COM (with all involved servers having the "company.com" DNS domain)? As I understand it, the Kerberos realm FreeIPA uses can be specified during the initial setup and it doesn't have to match the domain.
>
> --David Alston
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
You can have a Realm named COMPANY.COM (AD) and a Realm named
FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer
objects or subdomains in the DNS domain freeipa.company.com in it.
If that's the case you can create a 1 way or 2 way trust between the 2
forests without issues.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list