[Freeipa-users] a user delegated to control a OU and realmd join - how..
Alexander Bokovoy
abokovoy at redhat.com
Wed May 18 09:49:10 UTC 2016
On Wed, 18 May 2016, lejeczek wrote:
>On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote:
>> On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
>> > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
>> > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
>> > > > .. if possible, would you know?
>> > > > hi everybody,
>> > > > I'm trying, and hoping it is possible to realm join an AD but
>> > > > is
>> > > > such a
>> > > > way so I tap my IPA into specific OU within that AD.
>> > >
>> > > I'm not exactly sure what you mean here. Do you want to join a
>> > > computer
>> > > which is already a client in an IPA domain to AD as well? If this
>> > > is
>> > > the
>> > > case I would recommend to consider the IPA trust feature. Joining
>> > > 2
>> > > domain is in general possible with SSSD but has to be done with
>> > > very
>> > > great care, e.g. by using different keytabs for each domain.
>> > Can IPA domain establish a trust between win AD if IPA admin only
>> > has
>> > admin control over an OU in win AD ?
>>
>> No, you need to be a Domain Admin with full privileges.
>many thanks Simo,
>when I try user who only has delegated admin/management over a OU I
>see:
>Active Directory domain administrator's password:
>ipa: ERROR: Insufficient access: CIFS server denied your credentials.
That's correct. You need to be a member of Domain Admins group of the
forest root domain or a member of Enteprise Admins group in the forest.
>Would joining an IPA server to winAD with realmd be kind of one way
>trust?
No, not at all.
Trust != joining a machine to AD domain.
>Is it even possible(with no reasons against doing so) to join IPA
>server/domain to AD?
No. A machine in Active Directory can only be a member of a single
domain. It cannot be a servant of two masters.
>I mean I did that and I could get AD users IDs but there was some
>problem with krb5, config got messed up and daemon would not start.
If you like to enjoy broken configurations, it is up to you. There is
probably a reason why obvious things don't work. If you want to know
more about Active Directory, feel free to read specs at MSDN. Start with
MS-ADTS: https://msdn.microsoft.com/en-us/library/cc223122.aspx
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list