I've been trying to get our new AD environment and our existing IPA
environment all happy, but am having little luck. To start, our info and a
IPA servers running CentOS 6.5 and ipa-server-3.0.0-42
Windows DC servers running Windows Server 2012
Anonymized domain info:
IPA NetBIOS domain: IPA
IPA DNS domain: domain.com
WIN NetBIOS domain: AD
WIN DNS domain: win.domain.com
AD environment using itself for DNS, IPA environment using external DNS
(Cobbler/Bind). The appropriate _tcp, _ldap, etc. DNS entries have been
created in the domain.com domain in Bind. I have set up users in IPA and AD
with the same username and added a name mapping in AD to usern...@domain.com.
1) Is it possible to log into a workstation that's been joined to a domain
with IPA credentials?
2) If so, what are the minimum requirements for that? Do I need to run
FreeIPA 3.3 on CentOS 7? FreeIPA 4 on Fedora? Something else?
3) Is there any way to log into the domain workstation with the NetBIOS
domain and username and have it authenticate against the IPA environment?
As in AD\username instead of usern...@domain.com? If only the latter will
work, will users be able to map drives and access other AD resources
without being prompted for username/pass?
4) For initial setup of users, do the passwords for the AD and IPA accounts
need to be the same? Will a password change in the Windows environment
change the IPA password?
Any other hints, etc. for how to get this all working would be appreciated.
I've gone through the FreeIPA AD Trust page(s) and various other sources,
but am unclear on how things should work and whether or not I'm doing
something wrong. Our old Windows 2003 domain is authenticating fine against
MIT Kerberos, so I'm rather surprised how difficult this is proving to be.
Many thanks in advance,
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project