[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?
Chris Dagdigian
dag at sonsorol.org
Wed Nov 23 13:25:52 UTC 2016
Sumit Bose wrote:
> NO. It is the other way round.
>
> It is_not_ recommended and will not even work properly to use the same
> DNS domain for IPA and AD. Even worse with using the same realm for
> both, this cannot work at all.
>
> It is required to have a different realm name for the IPA domain and it
> is important to use a different DNS domain as well (a bit is possible
> with hosts in the same DNS domain but you loose functionality here).
>
> Where did you find the recommendation to user the same DNS domain and
> realm?
>
Apologies I must have been unclear. What I was trying to say is that
we are going for the "hosts in the different DNS domain" deployment
scenario ...
- We have unique domain name and realm for IPA: company-ipa.org
- We use company-aws.org in AWS and have our own Active Directory
servers for: company-aws.org
- We want to use ipa-client to bind our servers to company-ipa.org but
use DNS names from company-aws.org for operation
Our end goal:
- We have many external AD forests we are linking to company-ipa.org one
at a time
- End goal: operate hosts with DNS name "company-aws.org" as IPA clients
of "company-ipa.org" using AD logins coming from the external trusts
-Chris
More information about the Freeipa-users
mailing list