On Wed, 03 Jul 2013, Fred van Zwieten wrote:
1. Do you have the same realms for both IPA and AD?
2. Do you have exactly same DNS domains for both IPA and AD?
Also yes. Because of this we must, for now, maintain 2 seperate DNS
implementations: one for AD and one for IPA, because otherwise the service
records would name-clash.
If I get correctly from the above description, your new RHEL 6.4 server
is enrolled into IPA domain, i.e. its host keytab contains keys to
the host service coming from IPA KDC. It probably also uses SSSD in both
nsswitch and PAM configurations?
Are you planning to use pam_winbind/nss_winbind for the Samba/AD
I don't know yet. It depends on what works best with this setup. I am not
(yet) a Samba wunderguy, so these discussions help me (thanks for that).
I'm not sure that this configuration will work flawlessly.
If the host is not enrolled to IPA realm, you can easily make it
working against AD domain. If you enrolled the host to IPA realm which
is exactly same as AD domain, both DNS and krb5.conf collisions will be
creating quite serious issues. Basically, it is 'either - either' case.
/ Alexander Bokovoy
Freeipa-users mailing list