[Freeipa-users] a user delegated to control a OU and realmd join - how..
Sumit Bose
sbose at redhat.com
Wed May 18 12:40:42 UTC 2016
On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote:
>
>
> On 13/05/16 14:14, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but is such a
> > > way so I tap my IPA into specific OU within that AD.
> > I'm not exactly sure what you mean here. Do you want to join a computer
> > which is already a client in an IPA domain to AD as well? If this is the
> > case I would recommend to consider the IPA trust feature. Joining 2
> > domain is in general possible with SSSD but has to be done with very
> > great care, e.g. by using different keytabs for each domain.
> >
> > > The thing is - I'm thinking it would make user access control ideal
> > > from the start as I need only users from that OU, but also because I'm
> > > only granted access to the user/group who has control over that OU.
> > > I'm trying that but I see:
> > >
> > > ! The computer account RIDER already exists, but is not in the desired
> > > organizational unit.
> > > adcli: joining domain ccc.bb.aa failed: The computer account RIDER
> > > already exists,
> > Computer account names in AD must be unique even if they are added to
> > different OUs. So if there is already a computer called RIDER joined to
> > AD and it is not your computer you have to rename your computer to join.
> > If it is your computer and you want to create it in a different OU you
> > have to delete to old computer object first and then do a fresh join.
> hi Sumit, for me it did not work because of this bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1258488
You might want to have a look at the test build at
http://koji.fedoraproject.org/koji/taskinfo?taskID=14148923 which
includes a patch which should fix for bz1258488.
bye,
Sumit
> > HTH
> >
> > bye,
> > Sumit
> >
> > > ! Failed to join the domain
> > >
> > > I'm doing this:
> > > $ realm join ccc.bb.aa --user=private-user --computer-ou=private
> > >
> > > and computer is in OU=private of ccc.bb.aa
> > > so is the user private-user
> > >
> > > many thanks.
> > > L##SELECTION_END##
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list