> On 7 Aug 2017, at 07:01, Sameer Gurung via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi All, > > I have a network consisting of both windows and linux clients running windows > server 2008 (active directory) and centos 7 (freeipa). Obviously, the windows > clients authenticate against the AD DC (domain windows.foo) and the linux > clients against FreeIPA (Domain linux.bar) . This setup is working fine. > However I now want to setup cross domain trust between the two domains and > had few doubts which I wanted to clear before I proceed. > > I have gone through the steps of setting up this trust but I am not clear > about the following questions: > > 1. Am I right in thinking that I will have to add forwarders to the two > domains in the respective dns servers? >
This is described in http://www.freeipa.org/page/Active_Directory_trust_setup <http://www.freeipa.org/page/Active_Directory_trust_setup> (section 5.3) > 2. Which DNS do I set in my linux clients? Do they still resolve against the > free IPA dns or the AD Dns? See the link above, it really depends on your infrastructure but if you already have the IPA server acting as a DNS server, then I would guess it would be IPA DNS and in the IPA DNS you would configure a conditional forwarder to the AD DNS. > > 3. Also what will usernames will people use to login to the linux machines? > Do they need to specify only the username or the full usern...@windows.foo? > This depends on the IPA and SSSD version you are using. Up to IPA 4.5 and SSSD 1.15, you would either use qualified names (u...@windows.foo <mailto:u...@windows.foo>) or ‘pin’ the short usernames to one domain with the default_domain_suffix. Starting with IPA 4.5 and SSSD 1.15 you can also set the domain resolution order: http://www.freeipa.org/page/V4/AD_User_Short_Names <http://www.freeipa.org/page/V4/AD_User_Short_Names> https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html > 4. What about the existing freeipa users? and what if there are same > usernames in freeipa and AD DC > Conflicting usernames are distinguished between by qualifying them with the domain suffix (u...@windows.foo <mailto:u...@windows.foo> versus u...@linux.bar <mailto:u...@linux.bar>) > Any help will be much appreciated. > with regards, > > ----------------------------------------------------------------------- > Sameer Kr. Gurung > ----------------------------------------------------------------------- > > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and delete > this e-mail from your system. E-mail transmission cannot be guaranteed to be > secure or error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. The sender > therefore does not accept liability for any errors or omissions in the > contents of this message, which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. > Saint Mary's College, Shillong, Meghalaya, India-793003, > smcs.ac.in <http://smcs.ac.in/>_______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org