On Срд, 28 жні 2024, patrik uytterhoeven via FreeIPA-users wrote:
Hi,
I would like to know if i can install the FreeIPA for my linux servers
in same domain that is being used by AD for the windows servers without
any trusts between both servers I like to keep the domain the same name
but also want to be sure that this will not create any conflicts
We do not support that, for various reasons. This will create conflicts
at the very fundamental level.
1. AD domain controller owns its DNS domain. Any host in the same DNS
domain is considered belonging to this AD domain. Child DNS domains
(DNS subdomains, e.g. sub.example.com for example.com) can belong
either to the AD domain within the same forest or to a separate
forest.
2. Each AD forest has at least one DNS domain associated with it. When
trust is established between two forests (cross-forest trust),
forest root level domain controllers from both sides check the other
forest's list of associated DNS domains for conflicts with their
own lists.
3. Note also that AD customary expects that forest root level DNS domain
has the same name as the realm. E.g., CORP.FOO realm should have
forest root level DNS domain corp.foo. AD DC will attempt to do
service discovery via DNS by taking the realm name and using it as
DNS domain name. Thus, at least the DNS domain named as IPA realm
must have enough SRV/TXT records to point to proper KDC and DC
records for IPA.
On Linux side, both MIT Kerberos and Heimdal Kerberos depend on DNS
discovery for a number of features. While there are ways to disable some
of the discovery process, it cannot be avoided completely. We do not
support that in FreeIPA. For manual configuration it means a nightmare
of maintaining such setup that you'd always have to have DNS to realm
and KDC mappings manual.
In addition to that, login of AD users to IPA systems will not be
possible. Both would have the same Kerberos realm and cannot be
distinguished in the configuration. SSSD does not support this kind of
setup at all.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
