[Freeipa-users] a user delegated to control a OU and realmd join - how..

[Sumit Bose]

On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> .. if possible, would you know?
> hi everybody,
> I'm trying, and hoping it is possible to realm join an AD but is such a
> way so I tap my IPA into specific OU within that AD.

I'm not exactly sure what you mean here. Do you want to join a computer
which is already a client in an IPA domain to AD as well? If this is the
case I would recommend to consider the IPA trust feature. Joining 2
domain is in general possible with SSSD but has to be done with very
great care, e.g. by using different keytabs for each domain.

> The thing is - I'm thinking it would make user access control ideal
> from the start as I need only users from that OU, but also because I'm
> only granted access to the user/group who has control over that OU.
> I'm trying that but I see:
> 
> ! The computer account RIDER already exists, but is not in the desired
> organizational unit.
> adcli: joining domain ccc.bb.aa failed: The computer account RIDER
> already exists,

Computer account names in AD must be unique even if they are added to
different OUs. So if there is already a computer called RIDER joined to
AD and it is not your computer you have to rename your computer to join.
If it is your computer and you want to create it in a different OU you
have to delete to old computer object first and then do a fresh join.

HTH

bye,
Sumit

>  ! Failed to join the domain
> 
> I'm doing this:
> $ realm join ccc.bb.aa --user=private-user --computer-ou=private
> 
> and computer is in OU=private of ccc.bb.aa
> so is the user private-user
> 
> many thanks.
> L##SELECTION_END##

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project