----- Original Message -----
> I think I'll raise a ticket then.  Not that the _srv_ records don't
> do
> the right job.  It's just that in my scenario they are unusable.  I
> can't be alone in deploying IPA in a network already "dominated" by
> AD.
> 
> For now (as I said in another reply), I'll randomly configure clients
> to
> either ipa1/ipa2 or ipa2/ipa1.

You are not alone but we strongly suggest to use a separate DNS domain for 
FreeIPA server, and if possible for its clients. Either a same level domain or, 
at least, a delegated zone.

For example:

corp.domain.com -> AD
unix.domain.com -> FreeIPA

with forwards between them.

Or
domain.com -> AD
domain.net -> FreeIPA

again with forwards

Or
domain.com -> AD
unix.domain.com -> FreeIPA

with Ad delegating out the unix. subdomain to FreeIPA.

In general we strongly suggest not using the same DNS domain for AD and FreeIPA 
domain as using the same domain name makes it impossible to have kerberos level 
interop between the 2 domains otherwise (cannot establish trust relationships 
if they use the same DNS domain and/or the same realm name for example).


Simo.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to