1. Do you have the same realms for both IPA and AD?
Yes.

2. Do you have exactly same DNS domains for both IPA and AD?
Also yes. Because of this we must, for now, maintain 2 seperate DNS
implementations: one for AD and one for IPA, because otherwise the service
records would name-clash.

If I get correctly from the above description, your new RHEL 6.4 server
is enrolled into IPA domain, i.e. its host keytab contains keys to
the host service coming from IPA KDC. It probably also uses SSSD in both
nsswitch and PAM configurations?
Correct!

Are you planning to use pam_winbind/nss_winbind for the Samba/AD
interoperability?
I don't know yet. It depends on what works best with this setup. I am not
(yet) a Samba wunderguy, so these discussions help me (thanks for that).

Fred

On Wed, Jul 3, 2013 at 11:11 AM, Alexander Bokovoy <a...@vda.li> wrote:

> On Wed, 03 Jul 2013, Fred van Zwieten wrote:
> >Hi there,
> >
> >We have an IPA domain and an AD domain with the exact same domain name.
> >This was set up like this because we had the idea at the time that we
> >wanted to migrate all AD to IPA. This is still the long term goal, but we
> >need to postpone that.
> >
> >All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to
> >provision a new RHEL64 server who must run a Samba Server which must be
> >member of the AD domain.
> >
> >Questions:
> >
> >1. If this possible?
> >2. Will the fact that both IPA and AD have the same name be a problem?
> >
> >I did some preliminary looking around and found the file /etc/krb5.conf as
> >a possible problem point.
> It would help to explain a bit more about your setup.
>
> 1. Do you have the same realms for both IPA and AD?
> 2. Do you have exactly same DNS domains for both IPA and AD?
>
> If I get correctly from the above description, your new RHEL 6.4 server
> is enrolled into IPA domain, i.e. its host keytab contains keys to
> the host service coming from IPA KDC. It probably also uses SSSD in both
> nsswitch and PAM configurations? Are you planning to use
> pam_winbind/nss_winbind for the Samba/AD interoperability?
>
> You can avoid hitting conflicting /etc/krb5.conf for both IPA and AD
> uses by containing Samba to use separate krb5.conf. You'll need to add
>
> KRB5_CONFIG=/path/to/specific/krb5.conf
>
> to the files that are sources during start up of smbd/winbindd/nmbd.
>
> However, there will be certain problem with pam_winbind since it does
> not allow to redefine krb5.conf.
>
> --
> / Alexander Bokovoy
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to