I'm wondering if anyone else has done something similar to us, and if so am 
wondering how you went about it or if it is indeed at all possible.

Our situation is:

  *   We have a few VMs which are domain joined to "internal.local" which is an 
Active Directory domain that we have no control over or administrative access
  *   We would like to install IPA on these VMs (replicated, with named for 
DNS) with a separate domain called "dev.zone"
  *   Authentication to the VM itself via SSH should be carried out against 
"internal.local" still – we will point our own services that we are going to 
install like GitLab directly at the IPA server
  *   "dev.zone" will be setup as a conditional forwarder on the Active 
Directory domain pointing at the IPA-installed named-pkcs11 service to do 
resolution for this domain

My initial findings are that IPA installs fine but it changes some things in 
/etc/krb5.conf like:

  *   Adding in "dev.zone" realm
  *   Modifies the "default_realm" to be "dev.zone"
  *   Leaves the "[realm]" definition for "internal.local" but empties it of 
the "kdc" and "admin_server" definitions
  *   Removes the kerberos tickets for "internal.local" that were in "net ads 
keytab list"

This ultimately results in IPA working fine but authentication to the server 
via SSH no longer works as it's looking to "dev.zone" now.

Is it possible to achieve what we're wanting to do? Can these two things 
co-exist peacefully?



Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 
Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 
7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in 
India at Bangalore with limited liability vide Reg no L99999KA1945PLC02800 with 
Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 
mn)) Please do not print this email unless it is absolutely necessary. The 
information contained in this electronic message and any attachments to this 
message are intended for the exclusive use of the addressee(s) and may contain 
proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email. www.wipro.com
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to