On Mon, 2017-05-22 at 10:17 +0000, doug.ke...@wipro.com wrote:
> Hi,
> I'm wondering if anyone else has done something similar to us, and if so am 
> wondering how you went about it or if it is indeed at all possible.
> Our situation is:
>   *   We have a few VMs which are domain joined to "internal.local" which is 
> an Active Directory domain that we have no control over or administrative 
> access
>   *   We would like to install IPA on these VMs (replicated, with named for 
> DNS) with a separate domain called "dev.zone"
>   *   Authentication to the VM itself via SSH should be carried out against 
> "internal.local" still – we will point our own services that we are going to 
> install like GitLab directly at the IPA server
>   *   "dev.zone" will be setup as a conditional forwarder on the Active 
> Directory domain pointing at the IPA-installed named-pkcs11 service to do 
> resolution for this domain
> My initial findings are that IPA installs fine but it changes some things in 
> /etc/krb5.conf like:
>   *   Adding in "dev.zone" realm
>   *   Modifies the "default_realm" to be "dev.zone"
>   *   Leaves the "[realm]" definition for "internal.local" but empties it of 
> the "kdc" and "admin_server" definitions
>   *   Removes the kerberos tickets for "internal.local" that were in "net ads 
> keytab list"
> This ultimately results in IPA working fine but authentication to the server 
> via SSH no longer works as it's looking to "dev.zone" now.
> Is it possible to achieve what we're wanting to do? Can these two things 
> co-exist peacefully?

it may be possible with custom scripts, but it will probably not be a
very stable solution as upgrades may change things in unexpected ways.


Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to