[Freeipa-users] Novice question: can client hostname be in a different DNS domain than the IPA service?
Alexander Bokovoy
abokovoy at redhat.com
Wed Oct 5 14:13:54 UTC 2016
On ke, 05 loka 2016, Chris Dagdigian wrote:
>
>Hi folks,
>
>Working on a hairy multiple AD Forest integration issue in AWS and
>would appreciate a sanity check - I've been wrong so many times about
>IPA setup and navigating transitive AD trusts so many times I figured
>it was time to ask questions first before falling on my face again,
>heh.
>
>After reading the documentation we ended up getting a new domain name
>to run our IPA server on -- seemed easier than creating and delegating
>a subdomain off of the primary AD server.
>
>This is what we have:
>
>AD Forest #1: company-test.org
>AD Forest #2: company-aws.org
>IPA Server : company-ipa.org
>
>The IPA server at company-ipa.org has successfully created 1-way
>trusts to the AD servers for company-test.org and company-aws.org
>
>I'm at the point now where I'm ready to try installing IPA clients and
>have a simple sanity check question:
>
>##
>Can I launch a server in AWS with a hostname of "test.company-aws.org"
>yet bind it to my IPA server at "ipa.company-ipa.org" so it can manage
>users etc. ?
>##
>
>I was thinking of a command like:
>
># ipa-client-install \
> --domain company-aws.org \
> --server ipa.company-ipa.org \
> --realm COMPANY-AWS.ORG
>
>Would appreciate a quick sanity check on if this is possible or
>supported. The ipa-client-install command is failing ("cant verify
>that server is an IPA server ..." ) but I'm not sure if it's because
>I've got a config / DNS / port problem or if I'm (once again) trying
>to do something stupid with IPA ...
You need to read this:
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
to understand all limitations and problems.
This is technical description. For higher level, see
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list