On 03/30/2015 11:12 AM, Srdjan Dutina wrote:

I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only?

Should work.

Will Kerberos authentication of AD users on IPA domain hosts work?
In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD?

Can't help you here. Hopefully somone with DNS knowledge will chime but they might be gone for the day.

AD users have cached passwords on RODC, so authentication is possible in case of WAN link failure.


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to