<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 03/30/2015 11:12 AM, Srdjan Dutina wrote:<br> </div> <blockquote cite="mid:CAGTepmD6=GFVQ9YXCY2ebTrwfjqKF01FchqceBe8etYuLGZAWg@mail.gmail.com" type="cite"> <div dir="ltr"> <div>Hi,<br> <br> I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists.<br> I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts.<br> But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? </div> </div> </blockquote> <br> Should work.<br> <br> <blockquote cite="mid:CAGTepmD6=GFVQ9YXCY2ebTrwfjqKF01FchqceBe8etYuLGZAWg@mail.gmail.com" type="cite"> <div dir="ltr"> <div>Will Kerberos authentication of AD users on IPA domain hosts work?<br> </div> <div>In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD?<br> </div> </div> </blockquote> <br> Can't help you here. Hopefully somone with DNS knowledge will chime but they might be gone for the day.<br> <br> <blockquote cite="mid:CAGTepmD6=GFVQ9YXCY2ebTrwfjqKF01FchqceBe8etYuLGZAWg@mail.gmail.com" type="cite"> <div dir="ltr"> <div>AD users have cached passwords on RODC, so authentication is possible in case of WAN link failure.<br> <br> </div> <div>Thanks!<br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>