I've been trying to get our new AD environment and our existing IPA
environment all happy, but am having little luck. To start, our info and a
few questions:

IPA servers running CentOS 6.5 and ipa-server-3.0.0-42
Windows DC servers running Windows Server 2012

Anonymized domain info:
IPA NetBIOS domain: IPA
IPA DNS domain:
WIN NetBIOS domain: AD
WIN DNS domain:

AD environment using itself for DNS, IPA environment using external DNS
(Cobbler/Bind). The appropriate _tcp, _ldap, etc. DNS entries have been
created in the domain in Bind. I have set up users in IPA and AD
with the same username and added a name mapping in AD to

1) Is it possible to log into a workstation that's been joined to a domain
with IPA credentials?

2) If so, what are the minimum requirements for that? Do I need to run
FreeIPA 3.3 on CentOS 7? FreeIPA 4 on Fedora? Something else?
3) Is there any way to log into the domain workstation with the NetBIOS
domain and username and have it authenticate against the IPA environment?
As in AD\username instead of If only the latter will
work, will users be able to map drives and access other AD resources
without being prompted for username/pass?

4) For initial setup of users, do the passwords for the AD and IPA accounts
need to be the same? Will a password change in the Windows environment
change the IPA password?

Any other hints, etc. for how to get this all working would be appreciated.
I've gone through the FreeIPA AD Trust page(s) and various other sources,
but am unclear on how things should work and whether or not I'm doing
something wrong. Our old Windows 2003 domain is authenticating fine against
MIT Kerberos, so I'm rather surprised how difficult this is proving to be.

Many thanks in advance,

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to