[Freeipa-users] AD integration and transitive trusts
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 7 21:03:39 UTC 2016
On Wed, 07 Sep 2016, Michael ORourke wrote:
>At my company, we are trying to setup a pilot with FreeIPA and we
>having some issues. We would like to leverage our corporate AD
>infrastructure which mainly lives in "somedom2.com", and is a member of
>"rootdom1.com" forest. Note the different DNS naming between the root
>domain and the tree. Our FreeIPA domain is lnx.somedom2.com and is
>joined to rootdom1.com. If we create users in rootdom1.com, we can use
>those account on servers joined to lnx.somedom2.com, but user accounts
>under somedom2.com will not work. Could this be a transitive trust
>issue? Is there something unique we need to setup on the linux servers
>under lnx.somedom2.com (sssd.conf or krb5.conf) to allow authentication
>from somedom2.com?
>
>rootdom1.com (forest root domain)
>
>somedom2.com (main domain tree, users and groups accounts which need access to lnx.somedom2.com)
>
>lnx.somedom2.com (freeIPA domain, joined to forest rootdom1.com)
This configuration should work. There were some issues in SSSD
generating incorrectly CA paths for krb5.conf for some of similar setups
in RHEL 7.2, this should be addressed in the latest RHEL 7.2.z release
and in Fedora 24.
However, in order to debug such cases, you need look into
https://fedorahosted.org/sssd/wiki/Troubleshooting and provide logs that
demonstrate problems you see. Don't forget also to tell freeipa/sssd
versions down to 'rpm -q ...' output.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list