[Freeipa-users] a user delegated to control a OU and realmd join - how..

lejeczek peljasz at yahoo.co.uk
Tue May 17 08:27:55 UTC 2016 

On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > .. if possible, would you know?
> > hi everybody,
> > I'm trying, and hoping it is possible to realm join an AD but is
> > such a
> > way so I tap my IPA into specific OU within that AD.
> 
> I'm not exactly sure what you mean here. Do you want to join a
> computer
> which is already a client in an IPA domain to AD as well? If this is
> the
> case I would recommend to consider the IPA trust feature. Joining 2
> domain is in general possible with SSSD but has to be done with very
> great care, e.g. by using different keytabs for each domain.
Can IPA domain establish a trust between win AD if IPA admin only has
admin control over an OU in win AD ?
I know very little about AD and only started with IPA - I don't suppose
control of OU delegated to a user makes that user AD admin.
I guess what I'm thinking, asking, is - what would be the correct
possible way to plug in, connect IPA domain to win AD when one has
admin control only over a OU in win AD?
many thanks
L.
> > 
> > The thing is - I'm thinking it would make user access control ideal
> > from the start as I need only users from that OU, but also because I'm
> > only granted access to the user/group who has control over that OU.
> > I'm trying that but I see:
> > 
> > ! The computer account RIDER already exists, but is not in the desired
> > organizational unit.
> > adcli: joining domain ccc.bb.aa failed: The computer account RIDER
> > already exists,
> > 

> 
> 
> Computer account names in AD must be unique even if they are added to
> different OUs. So if there is already a computer called RIDER joined to
> AD and it is not your computer you have to rename your computer to join.
> If it is your computer and you want to create it in a different OU you
> have to delete to old computer object first and then do a fresh join.
> 
> HTH
> 
> bye,
> Sumit
> 
> 
> > 
> >  ! Failed to join the domain
> > 
> > I'm doing this:
> > $ realm join ccc.bb.aa --user=private-user --computer-ou=private
> > 
> > and computer is in OU=private of ccc.bb.aa
> > so is the user private-user
> > 
> > many thanks.
> > L##SELECTION_END##
> > 

> 
> 
> 
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > 
https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > Go to http://freeipa.org for more info on the project
> >  for more info on the project
> > 

> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160517/f8e06374/attachment.htm>

More information about the Freeipa-users mailing list