On Wed, 2011-08-03 at 10:22 +0200, Ondrej Valousek wrote: > Hi List, > > I have some questions regarding IPA: > 1. On the IPA client side, which daemon is looking after machine > Kerberos host/ principal renewal?
Keytabs are random secrets and do not need to expire as cracking them is consider a problem out of current computational reach unlike users passwords which use a much smaller set of values and is less randomic in nature. > 1. If I installed Samba4 on the IPA server, what would happen? Is > it possible? Would I get 2xKDCs, 2xLDAP servers and 2x DNS > server or is it possible for Samba4 to re-use the existing IPA > repository? Nothing would work as they would want to use the same ports (LDAP, KDC, kpasswd ...). No Samba4 cannot use FreeIPA's LDAP because Windows client wants a perfect copy of AD's schema and DIT so samba4 has to use the embedded LDAP and KDC. > 1. Can I use the Adam's LDAP plugin for BIND to deploy a DNS > server with Active Directory integrated zone running on Linux? The bind-dyndb-ldap plugin can be used to store any kind of data. And it properly allows bind to set record on DNS Updates. so yes, you can, but you may want to use a tool to make it easier to modify LDAP records then. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users