Thanks Simo. I figured it is probably a bad idea, appreciate the confirmation.
Doug ________________________________ From: Simo Sorce <s...@redhat.com> Sent: 25 May 2017 15:18:11 To: Doug Kelly (INDIA - BAS) Cc: firstname.lastname@example.org Subject: Re: [Freeipa-users] Setting up IPA server on an already domain joined machine ** This mail has been sent from an external source ** On Mon, 2017-05-22 at 10:17 +0000, doug.ke...@wipro.com wrote: > Hi, > > > I'm wondering if anyone else has done something similar to us, and if so am > wondering how you went about it or if it is indeed at all possible. > > > Our situation is: > > > * We have a few VMs which are domain joined to "internal.local" which is > an Active Directory domain that we have no control over or administrative > access > * We would like to install IPA on these VMs (replicated, with named for > DNS) with a separate domain called "dev.zone" > * Authentication to the VM itself via SSH should be carried out against > "internal.local" still – we will point our own services that we are going to > install like GitLab directly at the IPA server > * "dev.zone" will be setup as a conditional forwarder on the Active > Directory domain pointing at the IPA-installed named-pkcs11 service to do > resolution for this domain > > > My initial findings are that IPA installs fine but it changes some things in > /etc/krb5.conf like: > > > * Adding in "dev.zone" realm > * Modifies the "default_realm" to be "dev.zone" > * Leaves the "[realm]" definition for "internal.local" but empties it of > the "kdc" and "admin_server" definitions > * Removes the kerberos tickets for "internal.local" that were in "net ads > keytab list" > > > This ultimately results in IPA working fine but authentication to the server > via SSH no longer works as it's looking to "dev.zone" now. > > > Is it possible to achieve what we're wanting to do? Can these two things > co-exist peacefully? Doug, it may be possible with custom scripts, but it will probably not be a very stable solution as upgrades may change things in unexpected ways. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in India at Bangalore with limited liability vide Reg no L99999KA1945PLC02800 with Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 mn)) Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org