[Freeipa-users] What id my AD domain user password not available

Mon May 23 18:22:21 UTC 2016

HI

in my case i have 2 domains

AD DNS : corp.example.kw.com
main DNS ( from appliance) : kw.example.com

and all the linux box are pointed to kw.example.com

so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR
on kw.example.com

is that the correct way?

Regards,
Ben

On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorourke at earthlink.net>
wrote:

> Ben,
>
> Yes, that is a requirement.  Just creating the A & PTR records for you
> FreeIPA server is not enough.  You will need to keep the DNS zones separate
> too, example:
> Windows AD Domain: mydomain.com
> FreeIPA Realm/Domain: subdomain.mydomain.com
>
> You cannot have a cross-forest trust between two domains with the same DNS
> zone name.  So if you have a flat DNS namespace, then you will want to plan
> accordingly to move all the linux boxes that will participate in the
> FreeIPA domain into the new DNS zone.
>
> -Mike
>
> -----Original Message-----
> From: "Ben .T.George"
> Sent: May 23, 2016 10:44 AM
> To: Michael ORourke
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] What id my AD domain user password not
> available
>
> HI
>
> yea that GIf screen i shared with him. but that doesn't show how to take
> shared key.
>
> In my case DNS is handled by 3rd party appliances and from their side they
> created A record for my IPA server. bth forward and reverse is working
>
> is this forwader is mandatory thing from DNS side?
>
> Regards,
> ben
>
> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorourke at earthlink.net>
> wrote:
>
>> Actually one of his questions doesn't make sense, because last I checked,
>> normal domain users do not have permissions to create a forest trust.
>> I believe the default is a one-way trust, so maybe his concerns about the
>> bi-directional trust is really a non-issue.
>> If he refuses to type in the admin password in a linux console session
>> (extreme paranoia?), then perhaps you could give him a link to the tutorial
>> on using a pre-shared key and have him setup the AD side and give you the
>> key.  You don't have to be a Windows expert to do this, just ask your
>> domain admin to do the steps for you.  Also, you will need to setup a
>> separate DNS zone and some forwarding rules.  Otherwise you are going to
>> have problems.
>>
>> -Mike
>>
>>
>> -----Original Message-----
>> From: "Ben .T.George"
>> Sent: May 23, 2016 10:07 AM
>> To: Michael ORourke
>> Cc: freeipa-users
>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>> available
>>
>> HI
>>
>> He is local only but he is asking so many questions.
>>
>> first of all he is refusing to give domain admin users password .
>>
>> questions he is asking is:
>>
>> Is this trust relationship is two directional? If, yes why IPA require
>> two directional trust?
>> can we build this trust one directional?
>> can we achieve this with normal domain user?
>>
>> and hs is opposing to enter password in command line and i was going
>> though the rust using a pre-shared key and its too hard for me to
>> understand as i have no windows experience
>>
>> regards,
>> Ben
>>
>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorourke at earthlink.net
>> > wrote:
>>
>>> A couple of ways to go about this.  If he is local to you, you could
>>> explain that you need to establish a trust with his domain and you need his
>>> assistance for a few minutes while you type the command to join, then have
>>> him type in the password.  You need to assure that the DNS forward/stub
>>> zones are setup and working too.  If he is remote, you could use some
>>> screen share software and share out your desktop and walk him through the
>>> part where he has to type the admin password.  There is also a way to
>>> create a trust using a pre-shared key.  That may be more acceptable to
>>> him.
>>>
>>> -Mike
>>>
>>> -----Original Message-----
>>> From: "Ben .T.George"
>>> Sent: May 23, 2016 8:42 AM
>>> To: freeipa-users
>>> Subject: [Freeipa-users] What id my AD domain user password not
>>> available
>>>
>>> Hi LIst,
>>>
>>> my Windows domain Admin is not giving domain admin user password.
>>>
>>> in this case how can i proceed ipa trust-add
>>>
>>> regards,
>>> Ben
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160523/17570c49/attachment.htm>