Well I can give you how I think this works, but I stand to be corrected...

So, there is auto-discovery for kerberos going on via DNS, but AD's DNS already 
has such kerberos for its services, so a Linux client is going to try and do 
this, but its going to get AD results and not IPA results, so fail, so you have 
to be specific in commands,

For instance on install with IPA DNS I can type,

ip-client-install --mkhomdir 

and it figures out the DNS entries of the IPA server(s) and picks one to join 

If you cant do this as you are using AD's DNS then you have to specify the 
server and domain....

I think this might also impact load balancing across IPA' LDAP/kerberos 
servers, so if you have hard coded the KDC the client wont use dns to pick one 
of the others (assuming you have any).  

I assume that any dis-advantage AD suffers from not having its own integrated 
DNS will also apply to IPA, from my limited reading this seems to be the case.

With joining a Linux client to IPA with its own DNS, dns also gets 
updated.....if you are using an AD DNS then that is a manual process? 


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: Brian Cook [bc...@redhat.com]
Sent: Friday, 24 February 2012 3:12 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] need info on AD / IPA coexistence

I would not expect that there would be any problem with AD and IPA coexisting 
when the realm names are different, but I have heard reports that there are 
problems, especially when Linux clients are configured to use AD for DNS.  
Trying to figure out what the problem is.  I understand your delegated dns 
setup.  What if the customer must use AD for all DNS?


On Feb 23, 2012, at 3:28 PM, Steven Jones <steven.jo...@vuw.ac.nz> wrote:

> Hi,
> Subnet? IP addressing will not matter its DNS as the main issue, for me 
> anyway.,  I cant see IP / sunbets matter?
> So, yes if you have AD as the same realm as IPA then only one will work well 
> from what I can read, IPA has to have its neat auto-discovery/balancing 
> features turned off, or at least hobbled.
> So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and 
> then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating 
> DNS to the IPA servers. This way the unix domain is "independent but 
> referenced...
> eg I find the auto-discovery is working fine...
> So windows clients talk to AD directly, linux clients talk to IPA directly, 
> if the linux clients need to  DNS the IPA servers get that for them from 
> AD.....
> I have some visio diagrams of how I have done it if you want them....it may 
> not be the best way? but with so little architecture info available its all I 
> have.
> regards
> Steven Jones
> Technical Specialist - Linux RHCE
> Victoria University, Wellington, NZ
> 0064 4 463 6272
> ________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Brian Cook [bc...@redhat.com]
> Sent: Friday, 24 February 2012 9:59 a.m.
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] need info on AD / IPA coexistence
> I have heard that we currently have problems with IPA and AD existing on the 
> same subnet, possibly only when using AD as DNS servers, possibly even when 
> the realm names are different.  I have not been able to find good concrete 
> information or BZ's regarding this.  I am looking for clarification as to 
> what problems exist, why, is it a bug or just a fact, is it our bug our is it 
> a MS-AD issue, etc.  I need to understand what is going on as I have 
> customers who are looking to deploy mixed IPA / AD environments.  Any help or 
> information would be appreciated.
> Thanks,
> Brian
> ---
> Brian Cook
> Solutions Architect, West Region
> Red Hat, Inc.
> 407-212-7079
> bc...@redhat.com<mailto:bc...@redhat.com>

Freeipa-users mailing list

Reply via email to