On Wed, 19 Jun 2013, Brian Lee wrote:
Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I
noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately
our organization has not completed the migration to 2008 R2 yet. I know,
we're a little behind the curve on that, but fortunately Windows servers
aren't my responsibility ;-)

If the Kerberos realms are separate between Active Directory and FreeIPA,
why does the domain controller need to be Windows 2008 R2 for an external
trust? From what I understand, there is no difference in an external trust
in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012.
Please note that actual requirement is to have functional level 2008 or
above, for cross-forest trusts.

In our limited testing using functional level 2003 things did not work
as expected. We didn't look deeper because functional level 2003 also lacks
AES encryption and making it working with weaker encryption for TGT was to
force downgrading encryption on IPA side, aside from unclear issues with RPC 
calls.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to