I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site
where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to writable
domain controller so IPA can add trust to AD domains and trusts.
But after initial setup, can FreeIPA-AD trust continue to function with IPA
access to RODC only? Will Kerberos authentication of AD users on IPA domain
hosts work?
In this case, FreeIPA server should have DNS forward zone configured with
RODC as a forwarder to AD?
AD users have cached passwords on RODC, so authentication is possible in
case of WAN link failure.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to