On Wed, 03 Jul 2013, Fred van Zwieten wrote:
Hi there,

We have an IPA domain and an AD domain with the exact same domain name.
This was set up like this because we had the idea at the time that we
wanted to migrate all AD to IPA. This is still the long term goal, but we
need to postpone that.

All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to
provision a new RHEL64 server who must run a Samba Server which must be
member of the AD domain.


1. If this possible?
2. Will the fact that both IPA and AD have the same name be a problem?

I did some preliminary looking around and found the file /etc/krb5.conf as
a possible problem point.
It would help to explain a bit more about your setup.

1. Do you have the same realms for both IPA and AD?
2. Do you have exactly same DNS domains for both IPA and AD?

If I get correctly from the above description, your new RHEL 6.4 server
is enrolled into IPA domain, i.e. its host keytab contains keys to
the host service coming from IPA KDC. It probably also uses SSSD in both
nsswitch and PAM configurations? Are you planning to use
pam_winbind/nss_winbind for the Samba/AD interoperability?

You can avoid hitting conflicting /etc/krb5.conf for both IPA and AD
uses by containing Samba to use separate krb5.conf. You'll need to add


to the files that are sources during start up of smbd/winbindd/nmbd.

However, there will be certain problem with pam_winbind since it does
not allow to redefine krb5.conf.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to