OK,

I know this is an old thread, but I just got a new idea.

What if I create a NT4 style domain on our SAMBA servers, So I have a Samba
NT4 style PDC. Then I create a NT4 style trust with the AD domain. This
way, I don't use kerberos nor DNS SRV records, both of which are needed if
I would go the AD route. But now, users from the AD domain can access Samba
shares.

Correct?

Fred

On Wed, Jul 3, 2013 at 4:19 PM, Alexander Bokovoy <aboko...@redhat.com>wrote:

> On Wed, 03 Jul 2013, Fred van Zwieten wrote:
> >1. Do you have the same realms for both IPA and AD?
> >Yes.
> >
> >2. Do you have exactly same DNS domains for both IPA and AD?
> >Also yes. Because of this we must, for now, maintain 2 seperate DNS
> >implementations: one for AD and one for IPA, because otherwise the service
> >records would name-clash.
> >
> >If I get correctly from the above description, your new RHEL 6.4 server
> >is enrolled into IPA domain, i.e. its host keytab contains keys to
> >the host service coming from IPA KDC. It probably also uses SSSD in both
> >nsswitch and PAM configurations?
> >Correct!
> >
> >Are you planning to use pam_winbind/nss_winbind for the Samba/AD
> >interoperability?
> >I don't know yet. It depends on what works best with this setup. I am not
> >(yet) a Samba wunderguy, so these discussions help me (thanks for that).
> I'm not sure that this configuration will work flawlessly.
>
> If the host is not enrolled to IPA realm, you can easily make it
> working against AD domain. If you enrolled the host to IPA realm which
> is exactly same as AD domain, both DNS and krb5.conf collisions will be
> creating quite serious issues. Basically, it is 'either - either' case.
>
> --
> / Alexander Bokovoy
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to