On 12/08/2014 10:07 AM, Matthew Herzog wrote:
My Linux/LDAP domain is lnx.e-bozo.com <http://lnx.e-bozo.com>. The AD domain is ad.e-bozo.com <http://ad.e-bozo.com>. This has always been the case. I set up my FreeIPA server in the lnx.e-bozo.com <http://lnx.e-bozo.com> domain using realm LNX.E-BOZO.COM <http://LNX.E-BOZO.COM>. In light of this, how should I proceed?


If you prefer to continue using your DNS servers then you need to add all DNS records that FreeIPA defined for you at the end of the installation, manually to your DNS.
As soon as you did this you should be able to establish the trust.

You would need to update your DNS server with any new replicas you add.


On Mon, Dec 8, 2014 at 9:48 AM, Simo Sorce <s...@redhat.com <mailto:s...@redhat.com>> wrote:

    On Mon, 08 Dec 2014 08:58:46 -0500
    Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    > > Perhaps I should have explained that we are not going to set up a
    > > new DNS domain for the ipa-managed servers.

    Note that if you cannot set up a new DNS domain and this domain is the
    same as the AD domain then you cannot to the stuff Dmitri describe
    below. The only way to have accounts on freeipa in this case is to use
    the winsync method, which has a number of limitation.
    Also clients will be rather confused when you try to
    ipa-client-install as they will find AD servers instead of ipa
    servers,
    finally you'll have to use a different realm name for the IPA domain,
    one that doesn't match the AD domain.

    HTH,
    Simo.

    > > We have an Oracle dsee7
    > > server doing LDAP for our Linux servers and accounts. We want to
    > > migrate to IPA so we don't have to maintain a Linux/LDAP account
    > > for every user who needs access to Linux servers. All of our users
    > > start with an account in AD and since none of my predecessors knew
    > > about Winbind, they set up dsee7.
    > >
    > > So I'm thinking we'll need to import all our dsee7 accounts AND
    > > make it possible for AD users to access the Linux systems without
    > > needing to create them in IPA.
    >
    >
    > So the approach would be:
    >
    > 1) Install IPA (do not migrate users)
    > 2) Establish trust with AD
    > 3) Start switching client configuration from using LDAP with
    dsee7 to
    > SSSD pointing to IPA
    >
    > You do not need to migrate users.



    --
    Simo Sorce * Red Hat, Inc * New York

    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project




--
If life gives you melons, you may be dyslexic.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to