On 03/30/2015 11:12 AM, Srdjan Dutina wrote:
I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch
site where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to
writable domain controller so IPA can add trust to AD domains and trusts.
But after initial setup, can FreeIPA-AD trust continue to function
with IPA access to RODC only?
Will Kerberos authentication of AD users on IPA domain hosts work?
In this case, FreeIPA server should have DNS forward zone configured
with RODC as a forwarder to AD?
Can't help you here. Hopefully somone with DNS knowledge will chime but
they might be gone for the day.
AD users have cached passwords on RODC, so authentication is possible
in case of WAN link failure.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project