[Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 23 13:34:46 UTC 2016
On ke, 23 marras 2016, Chris Dagdigian wrote:
>
>
>Sumit Bose wrote:
>>NO. It is the other way round.
>>
>>It is_not_ recommended and will not even work properly to use the same
>>DNS domain for IPA and AD. Even worse with using the same realm for
>>both, this cannot work at all.
>>
>>It is required to have a different realm name for the IPA domain and it
>>is important to use a different DNS domain as well (a bit is possible
>>with hosts in the same DNS domain but you loose functionality here).
>>
>>Where did you find the recommendation to user the same DNS domain and
>>realm?
>>
>
>Apologies I must have been unclear. What I was trying to say is that
>we are going for the "hosts in the different DNS domain" deployment
>scenario ...
>
>- We have unique domain name and realm for IPA: company-ipa.org
>- We use company-aws.org in AWS and have our own Active Directory
>servers for: company-aws.org
>- We want to use ipa-client to bind our servers to company-ipa.org but
>use DNS names from company-aws.org for operation
>
>Our end goal:
>- We have many external AD forests we are linking to company-ipa.org
>one at a time
>- End goal: operate hosts with DNS name "company-aws.org" as IPA
>clients of "company-ipa.org" using AD logins coming from the external
>trusts
This setup should work with password-based authentication. It will not
work with GSSAPI (Kerberos) authentication. I think this is what you are
aware of and accepted as the limitation.
For the benefit of others, here is the list of articles and
documentation of the topic of mixed DNS domains/hostnames with Active
Directory:
- High-level description:
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
- Documentation chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#ipa-in-ad-dns
- Technical details:
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
There is nothing we can do with the Active Directory limitations beyond
these documents.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list