[Freeipa-users] AD integration and transitive trusts
Michael ORourke
mrorourke at earthlink.net
Wed Sep 7 20:45:02 UTC 2016
At my company, we are trying to setup a pilot with FreeIPA and we having some issues. We would like to leverage our corporate AD infrastructure which mainly lives in "somedom2.com", and is a member of "rootdom1.com" forest. Note the different DNS naming between the root domain and the tree. Our FreeIPA domain is lnx.somedom2.com and is joined to rootdom1.com. If we create users in rootdom1.com, we can use those account on servers joined to lnx.somedom2.com, but user accounts under somedom2.com will not work. Could this be a transitive trust issue? Is there something unique we need to setup on the linux servers under lnx.somedom2.com (sssd.conf or krb5.conf) to allow authentication from somedom2.com?
rootdom1.com (forest root domain)
somedom2.com (main domain tree, users and groups accounts which need access to lnx.somedom2.com)
lnx.somedom2.com (freeIPA domain, joined to forest rootdom1.com)
-Mike
More information about the Freeipa-users
mailing list