Thanks Simo. I figured it is probably a bad idea, appreciate the confirmation.


From: Simo Sorce <>
Sent: 25 May 2017 15:18:11
To: Doug Kelly (INDIA - BAS)
Subject: Re: [Freeipa-users] Setting up IPA server on an already domain joined 

** This mail has been sent from an external source **

On Mon, 2017-05-22 at 10:17 +0000, wrote:
> Hi,
> I'm wondering if anyone else has done something similar to us, and if so am 
> wondering how you went about it or if it is indeed at all possible.
> Our situation is:
>   *   We have a few VMs which are domain joined to "internal.local" which is 
> an Active Directory domain that we have no control over or administrative 
> access
>   *   We would like to install IPA on these VMs (replicated, with named for 
> DNS) with a separate domain called ""
>   *   Authentication to the VM itself via SSH should be carried out against 
> "internal.local" still – we will point our own services that we are going to 
> install like GitLab directly at the IPA server
>   *   "" will be setup as a conditional forwarder on the Active 
> Directory domain pointing at the IPA-installed named-pkcs11 service to do 
> resolution for this domain
> My initial findings are that IPA installs fine but it changes some things in 
> /etc/krb5.conf like:
>   *   Adding in "" realm
>   *   Modifies the "default_realm" to be ""
>   *   Leaves the "[realm]" definition for "internal.local" but empties it of 
> the "kdc" and "admin_server" definitions
>   *   Removes the kerberos tickets for "internal.local" that were in "net ads 
> keytab list"
> This ultimately results in IPA working fine but authentication to the server 
> via SSH no longer works as it's looking to "" now.
> Is it possible to achieve what we're wanting to do? Can these two things 
> co-exist peacefully?

it may be possible with custom scripts, but it will probably not be a
very stable solution as upgrades may change things in unexpected ways.


Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 
Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 
7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in 
India at Bangalore with limited liability vide Reg no L99999KA1945PLC02800 with 
Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 
mn)) Please do not print this email unless it is absolutely necessary. The 
information contained in this electronic message and any attachments to this 
message are intended for the exclusive use of the addressee(s) and may contain 
proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments. WARNING: Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any virus 
transmitted by this email.
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to