On Mon, 2017-05-22 at 10:17 +0000, doug.ke...@wipro.com wrote:
> I'm wondering if anyone else has done something similar to us, and if so am
> wondering how you went about it or if it is indeed at all possible.
> Our situation is:
> * We have a few VMs which are domain joined to "internal.local" which is
> an Active Directory domain that we have no control over or administrative
> * We would like to install IPA on these VMs (replicated, with named for
> DNS) with a separate domain called "dev.zone"
> * Authentication to the VM itself via SSH should be carried out against
> "internal.local" still – we will point our own services that we are going to
> install like GitLab directly at the IPA server
> * "dev.zone" will be setup as a conditional forwarder on the Active
> Directory domain pointing at the IPA-installed named-pkcs11 service to do
> resolution for this domain
> My initial findings are that IPA installs fine but it changes some things in
> /etc/krb5.conf like:
> * Adding in "dev.zone" realm
> * Modifies the "default_realm" to be "dev.zone"
> * Leaves the "[realm]" definition for "internal.local" but empties it of
> the "kdc" and "admin_server" definitions
> * Removes the kerberos tickets for "internal.local" that were in "net ads
> keytab list"
> This ultimately results in IPA working fine but authentication to the server
> via SSH no longer works as it's looking to "dev.zone" now.
> Is it possible to achieve what we're wanting to do? Can these two things
> co-exist peacefully?
it may be possible with custom scripts, but it will probably not be a
very stable solution as upgrades may change things in unexpected ways.
Sr. Principal Software Engineer
Red Hat, Inc
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org