[Freeipa-users] a user delegated to control a OU and realmd join - how..
lejeczek
peljasz at yahoo.co.uk
Mon May 16 08:34:28 UTC 2016
On 13/05/16 14:14, Sumit Bose wrote:
> On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
>> .. if possible, would you know?
>> hi everybody,
>> I'm trying, and hoping it is possible to realm join an AD but is such a
>> way so I tap my IPA into specific OU within that AD.
> I'm not exactly sure what you mean here. Do you want to join a computer
> which is already a client in an IPA domain to AD as well? If this is the
> case I would recommend to consider the IPA trust feature. Joining 2
> domain is in general possible with SSSD but has to be done with very
> great care, e.g. by using different keytabs for each domain.
>
>> The thing is - I'm thinking it would make user access control ideal
>> from the start as I need only users from that OU, but also because I'm
>> only granted access to the user/group who has control over that OU.
>> I'm trying that but I see:
>>
>> ! The computer account RIDER already exists, but is not in the desired
>> organizational unit.
>> adcli: joining domain ccc.bb.aa failed: The computer account RIDER
>> already exists,
> Computer account names in AD must be unique even if they are added to
> different OUs. So if there is already a computer called RIDER joined to
> AD and it is not your computer you have to rename your computer to join.
> If it is your computer and you want to create it in a different OU you
> have to delete to old computer object first and then do a fresh join.
hi Sumit, for me it did not work because of this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1258488
> HTH
>
> bye,
> Sumit
>
>> ! Failed to join the domain
>>
>> I'm doing this:
>> $ realm join ccc.bb.aa --user=private-user --computer-ou=private
>>
>> and computer is in OU=private of ccc.bb.aa
>> so is the user private-user
>>
>> many thanks.
>> L##SELECTION_END##
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list